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Introduction 





Microsoft Azure cloud adoption is on the rise, and Azure Automation plays a key role in 
building a sustainable and repeatable framework for creating and managing resources in 
Azure. This book will provide you an in-depth understanding of the options available in 
Azure Automation via the Azure Resource Manager (ARM) portal. 

Microsoft recommends the ARM model as the way forward for all Azure 
deployments. This book focuses exclusively on the ARM deployment model for Azure 
Automation. This model has more robust options when compared to the classic 
deployment model. 

This book provides in-depth coverage of topics such as runbook authoring and 
types of Automation runbooks. It also covers advanced topics including hybrid cloud 
automation from the ARM-based Azure portal. 

Chapter 1, “Introduction to Azure Automation,’ introduces Azure Automation, 
providing an overview of features and guidelines on getting started with the service in the 
ARM portal. 

Chapter 2, “Azure Automation Assets,’ explores the basic building blocks of 
runbooks, called Automation assets. These assets include schedules, modules, 
certificates, connections, variables, and credentials. 

Chapter 3, “Azure Automation Runbook Types,’ covers the various runbook types in 
Azure Automation: PowerShell, PowerShell Workflow, Graphical and Graphical PowerShell 
Workflow. This chapter gives a walk-through of runbook creation, testing, and publishing. 

Chapter 4, "Azure Automation DSC,’ covers integration of Azure Automation with 
PowerShell Desired State Configuration(DSC), including various cloud, on-premises, and 
hybrid scenarios. 

Chapter 5, “Hybrid Cloud Automation,’ covers the Hybrid Runbook Worker in Azure 
Automation, which facilitates execution of runbooks in your on-premises datacenters or 
systems hosted in third-party cloud service providers. 

Chapter 6, “Sample Runbooks and Use Cases,’ provides a walk-through of some 
popular use cases and their implementations using Azure Automation. 

This book is written for infrastructure and cloud architects, cloud support engineers, 
system administrators, and IT strategists with a basic understanding of the Azure cloud 
platform and PowerShell scripting. 
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CHAPTER 1 


Introduction to Azure 
Automation 





Automating operational tasks is critical for streamlining infrastructure management, 
both on premises and in the cloud. Microsoft Azure Automation comes with capabilities 
that help administrators automate their cloud-based, operational, repetitive tasks. It 
is versatile, with hybrid connection capabilities that help you automate tasks in your 
on-premises datacenters as well as with other cloud service providers like Amazon Web 
Services (AWS). Being built on top of the ever-reliable PowerShell, it is a useful tool in 
the arsenal of any Azure cloud administrator. Azure runbooks are easy to create, edit, 
and execute and can integrate well with almost all resources in the Microsoft Azure 
ecosystem. 

Azure Automation has significantly changed since its inception as a small feature 
in the Azure classic portal. With the introduction of the Azure Resource Manager (ARM) 
model and the new Azure portal, Azure Automation also significantly ramped up, with 
many new features such as Azure Graphical runbooks. As more and more organizations 
are moving toward the cloud, automation is also much in demand to maximize the return 
on investment (ROI). Microsoft Azure is a leader in the cloud market, and developing 
skillsets in Azure Automation is a valuable tool in the arsenal of a cloud administrator. 

This chapter introduces you to the ARM deployment model in Azure and the various 
components of Azure Automation in the ARM model. These include but are not limited 
to the Azure Automation overview dashboard, PowerShell, runbooks, jobs, Runbook 
Gallery, hybrid workers, and Azure Automation security. We will focus on establishing a 
basic understanding of the key concepts of Azure Automation, which will be explained in 
detail in subsequent chapters. 


Note Azure has two deployment models: the classic, or Azure Service Management 
(ASM), model and the more recent Azure Resource Manager (ARM) model. This book focuses 
on the ARM deployment model. 


© Shijimol Ambi Karthikeyan 2017 ] 
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Azure ARM Deployment Model 


The ARM model is the way forward for all Azure deployments as recommended by 
Microsoft. Compared to the monolithic deployment model of the Azure classic portal, 
ARM brings in flexibility and robustness with features including resource groups, role- 
based access control, template deployments, tagging, and resource policy. Let’s look 
at some of the key features of the ARM model before delving into Azure Automation, 
because many of these features will prominently feature in some of the Automation 
runbooks that we will be discussing further in this book. 


RBAC 


Azure role-based access control (RBAC) helps you implement fine-grained access 
restrictions on resources created in Azure. In the classic model, there was only one role, 
named Co-administration, which had full access to the entire Azure subscription. This 
was not suitable when administrators wanted to implement more restrictions at at the 
resource level. With the introduction of RBAC, there are many predefined roles that you 
can leverage. 

In addition, you can even create your own roles. The three main roles are Reader, 
Contributor, and Owner. You can apply the roles at various scopes—to resource groups, 
virtual machines (VMs), or networks, for example.. The Owner role has full permission 
to the applied scope and enables the member of the role to add another user in the 
given scope. The Contributor role also has full access, but a member of the Contributor 
group cannot add another user to the scope. Reader provides only read access to any 
applied scope. In addition, each resource type has its own set of predefined roles that an 
administrator can leverage to set permissions. 


Template Deployment 


In the ARM model, you have the option to automate the deployment of resources by using 
JSON templates. This is useful for deploying complex multitier environments in a single 
click. You can define the parameters in JSON format, define dependencies, and then 
create a template for complex architectures. This is useful in crash-and-burn scenarios 
and time-sensitive deployments. 


Tags 


You can tag the resources in Azure with a key/value pair so that you can do a logical 
marking of resources coming under a certain scope. For example, you can create a tag 
for all development resources in your environment, and when you select the tag from 
the portal, Azure will list all the resources coming under that tag. Tags are also useful for 
billing purposes. In the Azure consumption bill, you can filter resources based on their 
tags. This will help you identify the cost incurred by a resource grouped under a given 
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tag. One possible use case is cross-charging; you can create a tag for all resources for 
another department, sort the charges based on the tag, and cross-charge to a respective 
department. 


Resource Groups 


Azure resource groups are a new feature in ARM that enable you to logically group related 
resources and manage them as a single entity. Any resource created in the ARM model 
should be part of a resource group, and it can be part of only one resource group at a 
given time. Adding resources to a resource group allows you to manage their life cycle 
and create a security boundary. Grouping resources in resource groups becomes relevant 
when you want to be able to create, update, or delete them together. 


Resource Policies 


Resource policies allow administrators to implement restrictions in terms of resource 
locations or naming conventions. A policy consists of a policy definition and 

policy assignment at a given scope. Resource policies are quite useful when cloud 
administrators want to implement certain rules and regulations—for example, all created 
resources should reside in a chosen Azure location, or the resources should adhere to a 
given naming convention. Unlike RBAC, which decides the permission levels of a user at 
a given scope, policies define the properties of the resources at the applied scope, such as 
their naming conventions or location. 


Azure Automation in the ARM Portal 


The concept of cloud computing is heavily dependent on automation, wherein users can 
log in and spin up resources based on their requirements. More and more organizations 
are adopting the cloud-first policy, and hence there is an increasing demand on 
automating long-running complex operational tasks in the cloud. Azure Automation was 
introduced to fill this gap. 

Automation was introduced in the classic portal initially. With the introduction of 
the ARM model and the strategy of promoting it for all services new and old, Automation 
was introduced in the ARM-based portal as well. The new ARM-based portal is simply 
referred to as the Azure portal. Automation runbooks are based on PowerShell and bring 
in the exciting possibilities of PowerShell scripting to the Azure platform in an easy-to- 
handle interface. 
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Creating Your Automation Account and Getting Started 
Let’s look at how to create an automation account in the ARM portal: 


1. Goto the Azure portal. In the left panel, click More Services 
and then type in automation (Figure 1-1). 


x 


Shift+Space to toggle favorites 


New automation x 


EE Dashboard i 
ashboarc es, Automation Accounts 


9" Keywords: process automation 





py Resource groups 
Figure 1-1. Searching with the automation keyword 


2. Alist of automation accounts is displayed. To create a new 
account, click Add (Figure 1-2). 


Automation Accounts 


Microsoft 


Add | ZZ Columns o Refresh 
zu 


Subscriptions: 3 of 4 selected - Don't see a subscription? Switch directories 





Figure 1-2. Adding a new Automation account 


3. You need to provide some information while creating the 
Automation account (Figure 1-3). The Automation account 
should have a unique name and be assigned to a resource 
group. You can either use an existing resource group or create 
a new resource group. 
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Add Automation Account 


* Name © 


| Automationdemo 





* Subscription 


| Visual Studio Enterprise 


* Resource group 6 
(S Create new © Use existing 


| automationrg 


* Location 





| Southeast Asia 


* Create Azure Run As account 6 


EG 9 


The Run As account feature will 
create a Run As account and a 
Classic Run As account.Click here to 
learn more about Run As accounts. 


| | Pin to dashboard 


Create | 





Figure 1-3. New Automation account details 


4. You also have an option to create a new Run As account in 
the classic (a.k.a. Service Management) as well as the Azure 
portal. Run As accounts are required to authenticate with 
Azure to create and manage resources using your runbooks. 
In the case of ARM, the account that gets created is a service 
principal in Azure Active Directory, along with an associated 
certificate. This account gets the Contributor role by default. 
The classic Run As account that gets created uses the concept 
of certificate authentication in the Service Management 
model. It uploads a management certificate that can be 
used to access and manage classic portal resources by the 
Automation runbooks. The classic portal is being deprecated 
and is beyond the scope of this book. 
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9. When you click the Create button, the Automation account is 
created. It is then listed under the Automation accounts in the 
Azure portal (Figure 1-4). 


Automation Accounts 


s fujd ES Cclumrea o Rafresh 


Subceriptene: Weil Stude batita - Dont tee d dobieniphon! salih cresionet 
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Figure 1-4. Automation account list 


6. Ifyou click the Automation account, Azure takes you to the 
overview, which provides a nice tiled dashboard of various 
components included in it (Figure 1-5). 
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Figure 1-5. Automation account dashboard 


Exploring the Dashboard 


We will be discussing many of these components in detail in this book, and we'll start off 
with a brief introduction to them now. 
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Solutions 


Automation accounts can be linked with the Operations Management Suite (OMS), and 
the solutions connected to it (Figure 1-6). 


Solutions 


ADAssessment(laas OMS) 
ADReplication(laaS OMS) 
AgentHealthAssessment(laaSOMS) 
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Figure 1-6. OMS Solutions list 


You can integrate your automation account directly with OMS. Alternately, you can 
create webhooks for runbooks and execute them based on OMS search criteria. This is 
explained in detail in Chapter 5, Hybrid Cloud Automation. 


Runbooks 


Runbooks are the basic building blocks of Azure Automation. You can create your own 
runbooks for various tasks to be executed via the Automation platform. A Runbook 
Gallery is available that has many runbooks already published by Microsoft or community 
contributors; you can import these runbooks, customize them, and schedule them based 
on your requirements (Figure 1-7). 
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| Runbooks 
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Figure 1-7. List of runbooks 


Jobs 


The Jobs panel in the overview gives information about runbook execution status. You 
can drill down deeper and get information on the input, output, and more. Each time 

a runbook execution is initiated, either via a schedule or manually, a job is created. An 
Azure automation worker executes the job. Many jobs can run in parallel; one runbook 
might have multiple jobs being executed. You can also view the job status in the 
dashboard (Figure 1-8). 
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Figure 1-8. Job Statistics overview 
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Multiple statuses can be associated with a job. These include Completed, Failed, 
Queued, Running, Stopped, and Suspended: 


Assets 


Completed: Indicates that the job execution completed 
successfully. 


Failed: The job failed to execute. It could be because 
of compilation errors or execution errors based on the 
runbook type. 


Queued: The Azure Automation worker is not available to 
execute the job, and hence it is in a queue. 


Running: The job is being executed. 


Stopped: This indicates that the user stopped the job 
execution while it was running. 


Suspended: The job is in a suspended state, for various 
possible reasons. It could be suspended manually by a user or 
by a command in the script. A user can restart the runbook at 
any given time, and it will restart from the beginning if there 
are no checkpoints in the script. 


Assets in an Automation account consist of the following components: schedules, 
modules, certificates, connections, variables, and credentials (Figure 1-9). Azure 
Automation assets are discussed in detail in Chapter 2. 


Assets 


oO Refresh 


Schedules 


Oo 


Connections Variables Credentials 


2 a 





Modules Certificates 


15a 2a 


Ox 0: 


Figure 1-9. Assets overview 
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Hybrid Worker Groups 


You can use Azure Automation to execute runbooks in your on-premises environment 
as well. You need to deploy Azure automation hybrid workers to on-premises servers 
and connect them to your Azure Automation account. You can get a list of such hybrid 
workers from the overview dashboard (Figure 1-10). 


Hybrid Worker Groups 


i Configure o Refresh 


GROUP NAME NUMBER OF WORKERS LAST REGISTRATION TIME 
adVM.sccmad.com, aa9c /08a-... 2/25/2017 10:54 AM 
Backupvm1, 06248ab8-6c93-4... 2/27/2017 4:39 PM 
Demowebvm]1 8979f7f1-c207-... 2/25/2017 10:48 AM 
MININT-E7BGB11 94d27dcd-5... 2/25/2017 10:52 AM 
sccmiis.sccmad.com, Dad684b1... 2/25/2017 10:52 AM 


test 2/21/2017 2:27 PM 





Figure 1-10. List of Hybrid Worker Groups 


DSC Configurations and DSC Nodes 


Desired State Configuration (DSC), as the name indicates, is a configuration management 
solution that helps maintain your infrastructure configuration as code. It is based on 
PowerShell and implements the desired state in target machines by leveraging the Local 
Configuration Manager (LCM). Azure Automation DSC integrates the capabilities of 
Azure Automation with DSC-based configuration management (Figure 1-11). 


DSC Configurations 
d Add a configuration [^ Learn more o Refresh 


NAME AUTHORING STATUS LAST MODIFIED 


MyDscTest Published 4/11/2017 4:12 AM 





Figure 1-11. DSC configurations list 
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By leveraging Azure Automation DSC, you can manage the desired state of your 
infrastructure configuration across on-premises physical/virtual machines as well as cloud 
resources. We will discuss Azure Automation DSC configuration in detail later in this book 
in Chaper 4. 


PowerShell in Azure Automation 


The runbooks in Azure automation are completely based on PowerShell. Four types of 
runbooks are available: PowerShell, PowerShell Workflow, Graphical, and Graphical 
PowerShell Workflow. Though based on PowerShell, each runbook type has its own 
features and limitations. 


PowerShell 


These are the basic PowerShell-based runbooks available in Azure Automation. Using 
these runbooks is similar to executing Azure PowerShell module-based commands from 
the Azure portal. The related PowerShell modules should already be imported in your 
Azure Automation account. 

Certain capabilities such as parallel processing of tasks and runbook checkpoints 
are not available in these basic PowerShell-based runbooks. You will have to go for 
PowerShell Workflow-based runbooks if you want to use these features. You can create 
runbooks by using the simple Azure PowerShell-based scripts that you might be already 
using to manage your Azure infrastructure, and leverage additional capabilities such as 
scheduling them. 


PowerShell Workflow 


PowerShell Workflow runbooks are intended for more-complex tasks that involve 
executing steps in parallel, calling other child runbooks, and so forth. As the name 
indicates, this type of runbook is written using PowerShell workflows that in turn use 
Windows Workflow Foundation. PowerShell workflows allow you to set checkpoints in 
your script so that you can restart the script from the checkpoint if an exception occurs 
during execution. This kind of workflow can cater to advanced automation requirements 
of complex cloud infrastructures. 


Graphical 


Graphical runbooks can be created from the Azure portal, but unlike the PowerShell and 
PowerShell Workflow runbooks, they cannot be edited or created outside the portal. They 
use PowerShell in the back end, but the process is transparent to the user. There is an option 
to convert the Graphical runbooks to Graphical PowerShell Workflow, and vice versa. 
Graphical runbooks are a good place to start for a cloud administrator who doesn’t 
have much expertise in PowerShell. This type of runbook uses a visual authoring model 
and represents the data flow pictorially in an easy-to-understand fashion. The editing 
can also be done directly from the portal, against each building block of the runbook, to 
implement changes in the logic. 
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Graphical PowerShell Workflow 


Graphical PowerShell Workflow runbooks are based on PowerShell workflows in the 
back end. Other than that, the properties are the same as that of a Graphical runbook. 
Graphical PowerShell Workflow runbooks can be edited and managed only from within 
the Azure portal. 


Runbook Gallery 


A Runbook Gallery is readily available in the Azure portal, where several runbooks 
catering to multiple scenarios are already available. Some of these runbooks are 
contributed by the community, and others are provided by Microsoft. You can access 
the Runbook Gallery by clicking the runbook tiles in the overview dashboard of the 
Automation account. 

Click Overview > Runbooks > Browse Gallery to access the gallery (Figure 1-12). 


Browse Gallery 


Gallery Source 


Popularity Sori Ce 


Stop Amare V2 Wis Type 


raphi ftunbaok 

This Graphical PowerShell nunbook connects to Arune ming an Automation Run As account 
and stops all V2 Vivis in an Azure subscription or im à resource group or a single named V2 
Vi Vou can atlech à necari oc eae: bo thes nnek Bo nan rt at ar Specific Essa 

Tage: Azure Virbual Moachenes, Stop VM, Grachacalbs 


Scheduled Virtux Machine Shutdown, Startup 

Rovere) Runtik 

Auteenates the pcheduled startup amd shutdown of Azure virtual machines. Schedules ane 
implemented by tagging Vis or resource groups with individual simple schaduler. 
Schedules ean dehne mulsple teme pereads Tor chutden, including Dre rugs. and days 
Tags: VM Leéecyche Management, Dev / Test Eranonmenis 


Sturt Azure V2 VIN 

Graphical Rurbook 

Thr Curaphecal! Peram Shel nantook connsecEs To dune vein an Actonmatbon Run ds account 
and starts all Wa Vids in an Anao pubscription or im a rescurcg group or a single named V2 
VM. You tan attach à recurring schedule to this runbock ta run it at à specific eme. The 
Tags: Anpe Vistuud blacker Stud VM. Orbe 


Step Amine Carde VMs 

Poseprihell Viewty Romhook 

This PowerShell Vicki runbock connect bo Anure amd ropa all claege vs mn an Are 
subicripson or dioud genios, Vou can attach a schedule so thes nunibook to run it at a 
ipeaohc tme 


Tags: Virtual Machina, Azure Automation, WM Lifieoycie Management 


Start Azure arie VM 

Povwerthell Workflow Runibook 

This Powershell workflow runbook connects bo Amure 3nd farts all clesie VIME in àn Azure 
Tulscrgibon or dood senos, Vou can aMisch a schedule t5 s nanbook to run A M a 
Loses iri 


Created by; 5C Automation Product Team 
Ratings 43 ot 5 

24,795 dimnioads 

Last updated: 021/2016 


Created by; Automys 
Ratings: 481 of 5 
14,515 downloads 

Last updated: 2/29/2016 


Created by Sc fuxomation Product Team 
Ratings: 4.57 of 5 

18,508 dankas 

Last upedated- 10/2 1/2015 


Created by: $C Automation Product Team 
Ratings: £8 of 5 

14615 ckranioads 

Last updased- 5/18/2016 


Created by: SC Automation Product Team 
Ratings: 4,25 of 5 
10,524 dawninads 


X Power ell pon’ 
x, Graphécal runbook 


af PowerShell workflow 


Publisher 


+f March 


.' Community 





Figure 1-12. Azure Runbook Gallery 


On the right-hand side, you can see the Gallery Source listed. It could be either Script 
Center (which is the default) or the PowerShell Gallery. You will find scripts/runbooks 
more relevant to Azure by choosing the Script Center option. The PowerShell Gallery 
contains mostly general-purpose PowerShell scripts. This right-hand pane also provides 
an option to filter the runbooks based on their type (PowerShell Script, Graphical 
Runbook, or PowerShell Workflow). Further filtering is possible based on the publisher 
(you can choose runbooks published by Microsoft or by the community). 
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You can search for runbooks for specific use cases in the search bar. Usually, 
runbooks are readily available for all major Automation use cases. If not, you will find 
something close enough that you can tweak and reuse. 

Select the runbook from the gallery, and you can review the information about the 
runbook from its description. For Graphical runbooks, you can review the dataflow in a 
flow chart representation. You can import the runbook to your Automation account by 
clicking Import (Figure 1-13). 


Stop Azure V2 VMs 


ti Import 


This Graphical PowerShell runbook connects to Azure using an Automation Run As account and stops all V2 VMs in an Azure subscription or in a 
resource group or a single named V2 VM. You can attach a recurring schedule to this runbook to run it at a specific ime 

Created by: SC Automation Product Team - Microsoft Ratings: 4.38 of 5 

Tags: Azure Virtual Machines, Stop VM, GraphicalPS 24,808 downloads 

View Source Project Last updated: 10/23/2016 


Get Run As Connection 
I 


N^ 


Connect to Azure 


v Vv T 
Get single VM Get all VMs in RG Get all VMs in Sub 


Get VM with Status 





Figure 1-13. Importing a Graphical runbook 


You need to provide a name and may provide an optional description while 
importing the runbook by using the Import option available in the portal). Once 
imported, the runbook will be listed in your Automation account. However, this runbook 
is not available for execution unless you publish it. 
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To publish the runbook, click Edit. This opens the runbook edit pane (Figure 1-14). 


Echt Graphical Runteook 


Pl ingutsnd super  tetpane W Feedback 


"ES CMOLETS 
Pub RUNBOCKS "p ale 4. al 
t asses Get single VM Got all Vids in RG Gat all Vids in Sub 


P UR pureo CONTROL 





Figure 1-14. Runbook edit pane 


Here you can view and customize the runbook as per your requirements. Then click 
Publish to make the runbook available in the Automation account. 


Uploading Runbooks to the Gallery 


If you have created a runbook that could be valuable to the wider community, you can 
upload it to the Runbook Gallery. The step-by-step procedure is as follows: 


1. Loginto the Script Center by using your Microsoft account at 
http://gallery.technet.microsoft.com/site/upload. 


2. Underthe File Upload option, upload your runbooks. 
This could be a . ps1 file for PowerShell Workflows or 
.graphrunbook for Graphical runbooks (Figure 1-15). 


File upload 





Figure 1-15. File upload option 


3. Provide the title and description of your runbook (Figure 1-16). 
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Title * 


The tie should capture the essence of your contnibution. 


Description * 


The descnpoon should provide more information about your contribution You can provide the description in HTML and we support the embedding of code snippets 
images. and additions! files that help illustrate your contribution. 


Ete i ILI -i mE 





Figure 1-16. Runbook title and description 


You should list all dependencies of the runbook in the 
description. If runbooks refer to other runbooks, that 
information must be provided in the description, and the 
corresponding runbooks should have the same tag. 


4. Provide asummary of the runbook and the language of choice 
(Figure 1-17). The summary will be displayed in the Runbook 
Gallery search results. 


Summary * 


Provide summary information for your contribution. This information will represent your contribution in search results. Max 280 characters. 


(&) Use the first 280 characters of my description. 
(7 | want to write my own summary. 


Language 


Select the language in which you wrote your description. 
English (United States) 





Figure 1-17. Runbook summary 


9. Inthe next section, select the category as Windows Azure and 
the subcategory as Automation (Figure 1-18). The next option, 
operating system, is irrelevant in this case and can be ignored. 
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Figure 1-18. Selecting the Category and Sub-category 


6. Assign tags relevant to your runbook. This helps in listing the 
runbook under the relevant categories. A Graphical runbook 
should have the GraphicalPS tag associated with it (Figure 1-19). 


What keywords describe your contribution? 
ee e 
CI Powershell (3521 usages) 
CI Powershell Script (1517 usages) 
LI Active Directory (745 usages) 
[ ] SQL Server (556 usages) 
C Office 365 (475 usages) 
C SharePoint 2010 (451 usages) 
C Exchange 2010 (441 usages) 
C SharePoint 2013 (436 usages) 
C Windows PowerShell (434 usages) 
CO sharepoint Online (398 usages) 
LI Exchange 2013 (370 usages) 
L] SCCM (356 usages) 





^ 
E 





Figure 1-19. Assigning tags 
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7. You have the option to enable Q &A for this contribution or 
mark the runbook as an official Microsoft contribution if you 
have received permissions to do so (Figure 1-20). 


Options 


This is an official Microsoft contribution 
! have received permission from the involved Microsoft Product tearm(s) to distribute this as an Official Microsoft Contribution 


I^ Enable Questions and Answers for thes contnbution 





Figure 1-20. Enabling Q & A 


8. Selectthe License options: TechNet Terms of Use, MIT, 
or MS-LPL (Figure 1-21). TechNet terms of use refers to 
Microsoft Developer Services Agreement. MIT and MS-LPL 
come under open source licensing. The last step is to agree to 
the terms of use and submit the runbook. 


License * 
©) TechNet Terms of Use 
Q MS-LPL 


Terms of use“ 


The Terms of Use contains the terms that apply to your contribution. Please read them. If you do not agree to these terms, do not make any contributions. You also 
agree that we may publish the profile information that we associate with your TechMet Live ID in connection with your contribution, 


[7] ! agree to the Terms of Use 





Figure 1-21. License options 


Azure Automation Security 


Azure Automation should be linked with an Azure Automation account that has access 
to resources in the associated Azure subscription. In the classic model, certificate-based 
authentication was used. However, in the ARM model, Azure AD-based authentication 
is used. This simplifies the authentication process, as one account can be used for 
authenticating for both the classic and ARM models. 

When you create the Automation account, Azure automatically creates a Run As 
account for both the ARM and classic models with the required permissions, as explained 
earlier. You can see the details of these accounts by selecting the Run As accounts from 
the respective Automation dashboard (Figure 1-22). 
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omsrgautmn - Run As Accounts 


Ü Ar aa NER 


L2 Sesrch (Colt, [7 Learn more 


o Azure Run As Account & 
Expires 2/21/2018 12:00 AM 


* Credentials 


4 Connections 
© Azure Classic Run As Account @ 


a-| Certificates Expires 2/21/2018 12:00 AM 





Figure 1-22. Azure Automation Run As accounts 


You can click each account to view further details. 

When the Azure Run As accounts are created, a couple of other resources are also 
created in the back end for the users to start with. These include two sample runbooks: 
one PowerShell-based runbook called AzureAutomationTutorialScript, and one 
Graphical runbook called AzureAutomationTutorial. These runbooks demonstrate how 
to authenticate by using the Run As accounts. Similarly, two runbooks are created for the 
classic Run As account as well (Figure 1-23). 


omsrgautmn - Runbooks 
E Add a runbook [5] Browse gallery o Refresh 


"n Access control (LAM) 


$ Tags 


NAME AUTHORING STATUS LAST MODIFIED 


Azure^utomabonTutorial Vv Published 2/21/2017 728 AM 
XK Diagnose and solve problems 
AruteAutomabonTutonalSeript v Published 2/21/2017 3:12 PM 


PROCESS AUTOMATION 
ArureClaccicAutomatnionTutonal v Published 2/21/2017 728 AM 


fà Runbooks 





AzureClassicAutomationTutorialScript vf Published 2/21/2017 7:28 AM 
Figure 1-23. Sample runbooks 


Click any of the runbooks and execute them to verify the Run As accounts 

Let's start the AzureAutomationTutorial runbook to verify the ARM Run As 
accounts. Click the runbook, which takes you to the execution pane. Now click Start. 

In the Job pane, click Output, and you should be able to view the output of the 
runbook , which is the list of all resources in your subscription (Figure 1-24). 
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"steorsiaplet” of type "Kicrecett Stertiaple/masagers” 
"stersisplenen” ef type "Micresoft .Sterage/sterageicomnts' 
'asrdenoctét^ of type “Kicrece#t Storage steragelccowems 
"Demwaalbtt! of type ‘Micreteft mecoweryserwices/veults ! 
“‘Demewault2” of type ‘Micreieft Becoweryserwices/ vaults’ 


ve 'Oempowneti' of type "Microsoft Network/vi tus metworks * 


ve 'fellevertest' ef type “Microsoft Metwerk/wir tea metuor ks " 
oe "Besti-vet of type "Fioresof t Netwerk/virtuaDMetuorhs " 
"Weperotion’ of type Microsoft Jatenmation/eutenmat Lond cent s" 
"Vrepe cot Lond Add -DataDÉ skTelwuM of type ‘Micreseft. Autonet lew evtemet lowiccowts/runbooks' 
"Woperation/ArereAstomatieaTatorial of type Ricrocedt Automation automationsccouvts/rumbecks” 
Wamings ‘Waeperation/Avereistaretion! torialtcript” of type “Micretoft . Automat ton/ automat iowiccounts/rumbooks 


‘Waoperat ion/Avere laccicAstamationleterial” of type "icrocolt futomat ion automat lav count cf ronibeok s" 


perst Lon &rerec Laccicastasationteterialseript’ of type mono dn toast ton/ automat ioaaccmants/rentnics” 





Figure 1-24. Sample Runbook output 


You can repeat the same with AzureClassicAutomationTutorial to get similar 
results. 


Role-Based Access Control 


If you want to provide role-based access for different users to your Automation account, 
use the basic RBAC model of ARM. Along with the Owner, Contributor and Reader role, 
you can also use the Automation Operator role that is tailor made for Automation. In 
addition to these Four roles, you can also use the User Access Administrator role that can 
be assigned to manage user access to your Azure resources. 

The Contributor role provides full read/write/delete permissions in the Automation 
account, except for providing another user access to the Automation resources. Reader, 
on the other hand, provides only read-level permissions, as the name indicates. The 
Automation Operator role, provides restrictive permissions to the assigned user. This role 
is specifically targeting users who need permissions to start, stop, suspend, or resume 
Azure Automation jobs and nothing else. It is useful when you want to provide delegated 
permissions to a team member to manage Azure Automation jobs. 

Follow these steps to provide role-based access to a user: 


1. Goto the Automation account and click Access Control 
(IAM), as shown in Figure 1-25. 


omsrgautmn - Access control (IAM) 


$ : 
APL FULCURII 


Roles C) Refresh. F Help 


d add 0 Re 


D Search (Chis) 


Name @ Type 6 


J Overview 
Search by name ar email All 
Bl Activity log 
T items (1 Users, 1 Groups, 5 Apps) 
M Access control (LAM) : 
HAM 





Figure 1-25. Azure Automation access control (IAM) 
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2. Click the Add option. This opens the permissions pane 
(Figure 1-26). 


Add permissions 


Automation Operator 6 


JLG m 


Search by name or email address 





Figure 1-26. Setting permissions 


Here you can search for the specific role and the username by 
name or email ID. The user should already be present in your 
Azure AD associated with the subscription. You can save the 
permission after you have added the user. 


However, if you are using hybrid workers to execute runbooks 
against your on-premises datacenter, you should provide a 
credential with permissions to execute the runbook against 
the target machine. This is applicable for executing runbooks 
against AWS resources as well. 


Let's look at how to add resources for hybrid workers. This 
involves creating a credential asset with the username/ 
password. 


3. From the Azure Automation dashboard, click Assets > 
Credentials to open the Credentials dialog box (Figure 1-27). 


Credentials 


ef Add a credential ©) Refresh 


NAME LAST MODIFIED 


No credentials found. 





Figure 1-27. Adding credentials 
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4. Click the Add a Credential option and then provide the name, 
description, username, and password (Figure 1-28). 


New Credential 


* Name 
| Hybridworker v 
Description 

Test 


* User name 


| contoso\adminuser1 T" 
* Password 


* Confirm password 





Figure 1-28. New credential details 


The username in this case can be in the form of 
domainNusername (as shown in Figure 1-28), 
username@domain, or simply the username alone if it is a 
local account. 


You can call this credential in your runbooks, or alternately 
specify a Run As account for a given Hybrid Worker Group. 
That way, the credential is automatically invoked for 
authentication each time you execute a runbook against a 
Hybrid Worker Group. 


9. To associate the credential with a Hybrid Worker Group, click 
the Hybrid Worker Group from the Automation dashboard. 
Select the target group and then click Hybrid Worker Group 
Settings (Figure 1-29). 
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i adVM.sccmad.com_aa9c/08a-05a5-4ef9-bec9-c8c35934c58e - Hybrid worker group settings 


PhytsidWorkertGroup 


Search (Ciri + H Save X Discard 


Run4s 6 | Defaut NN 


Choose Run As credential 


Y Overview 


SETTINGS Hybridweorker 
it 


Properties 


HYBRID WORKER GROUPS 





- Hybrid worker group settings 


Figure 1-29. Associate credential with Hybrid Worker Group 


6. Click the Custom option. Select the Run As credential from 
the drop-down menu and save the changes. 


The process for creating AWS credentials is the same. You need to create a credential 
asset. The only difference is that in place of a username, you should provide an AWS 
access ID and secret access key in the Password field. 


Summary 


This chapter provided an overview of Azure Automation in ARM, introduced the various 
types of runbooks and their assets, explored the Runbook Gallery, and discussed Azure 
Automation security. The next chapter covers Azure Automation assets in detail. 


Additional Resources 
https://docs.microsoft.com/en-us/azure/automation/automation-intro 


https: //docs.microsoft.com/en-us/azure/automation/automation-runbook- 
types#graphical-runbooks 


https: //docs.microsoft.com/en-us/azure/automation/automation-offering-get- 
started 


https://docs.microsoft.com/en-us/azure/automation/automation-runbook-gallery 


https://docs.microsoft.com/en-us/azure/automation/automation-role-based- 
access-control 
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https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook- 
worker 
https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types 


https://docs.microsoft.com/en-us/azure/automation/automation-runbook- 


types#powershell-runbooks 
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Azure Automation Assets 





This chapter covers the various Azure Automation assets and their relevance in 

Azure Automation. We will also look at nested runbooks, which enable modularity 

and reusability of runbooks. Automation assets play an important role in Azure 
Automation, as you can reference the assets within a runbook, and they will be accessed 
at different stages during runbook execution. Automation assets provide flexibility 

to the administrator since they can be defined once and reused whenever required. 

For example, you can create a schedule for repetitive execution of runbooks, and the 
same schedule can be linked to multiple runbooks. You can create a connection asset 

to establish connections to target resources, and this asset can be used by multiple 
runbooks. This chapter will give you a detailed understanding of Azure Automation assets 
and how they can be defined and leveraged in Azure Automation. 


Azure Automation Assets 


Assets in an Automation account can be considered globally available settings that can be 
used by runbooks in that given account. The assets are classified as schedules, modules, 
variables, connections, certificates, and credentials. 


Schedules 


One of the most important requirements of any automation framework is the capability 
to schedule repeated tasks. In Azure Automation, this is achieved by using the schedules 
asset. You can create schedules and attach them to runbooks so the runbooks are run 
repeatedly—on a daily, weekly, or monthly basis, for example. You can attach multiple 
runbooks to a schedule, and attach multiple schedules to a runbook. 


© Shijimol Ambi Karthikeyan 2017 25 
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To create and attach a schedule to a runbook, follow these steps: 


Click the Automation dashboard and then choose Assets > 
Schedules. Next click on Add a Schedule (Figure 2-1). 


Schedules 


ef Add a schedule Ç Refresh 


NEXT RUN 
tes Expired 
testschedule 4/14/2017 8:11 PM (Europe/London) 
testupdaterun Expired 


updatesrun Expired 





Figure 2-1. Azure Automation schedules 


Provide the information shown in Figure 2-2. 
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New Schedule 


* Name 
| Schedulebook1 S 


Description 


* Starts © 
2017-04-14 8:07:57 PM 
UK - UK Time 

Recurrence 


* Recur every 


1 


Set expiration 


* Expires 


2018-04-14 8:07:57 PM 





Figure 2-2. Describing a new schedule 


In particular, you need to provide the following details: 
e Aname for the schedule 
e Description 
e  Astarttime for the schedule, along with the time zone 


e The recurrence is set to Once by default. However, you can set 
it to Recurring and configure the frequency as every Hour, Day, 
Week, or Month. 


e  Bydefault, the expiration is set as No (the schedule never expires). 
However, you can set an expiry date and time for the schedule if 
required. 
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The next step is to link this schedule with a runbook. Open 
the target runbook. In the overview tab, select Schedules 
(Figure 2-3). 


b stat <P view # Edit (© Schedule BZ webhook Ú Delete 6 Export 


Essentials ^ 


Resource qroup 

omsrg 

Account 

omsrgautmn 

Location 

East US 2 

Subscription name 

Microsoft Azure Internal Consumption 


penis mE 


| 
Schedules Webhooks 





0» Ox 


Figure 2-3. Schedules in the overview tab 


Click the Add a Schedule option. Then link the schedule to 
your runbook and select the schedule (Figure 2-4). 


> + Create a new schedule 


Par amater and ron settow à Scnedulebook | 
v 


Confioure parameters and run settings Day 


testscheoue 
Hour 





Figure 2-4. Linking a schedule 


You can set the input parameters of the runbooks to be 

used for the schedule. In this example, the runbook input 
parameters include the resource group name (optional), 

the name of the VM(optional), and the connection 

asset name (which, if not provided, will use the default 
AzureRunAsConnector asset). You should also specify the run 
settings, which determine where the runbook gets executed 
(either on Azure or on a hybrid worker (Figure 2-5). 
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Schedule Runbook * Parameters 

StartAzureViVimi StartAzureV2Z Vm 
Schedule Parameters 
Schedulebook1 RESOURCEGROUPNAME © 


rc No value 
Parameters and run settings 
Configure parameters and run settings 


Optional Sting 


VHMNMAME © 
No value 


Optional Sing 


AZURECONNECTIONASSETNAME @ 
Default will be used 
Optional Sting. Default: JAzureRunAsConnection 


Run Settings 


Run on © 


| Azure | Hybrid Worker 





Figure 2-5. Input parameters for the runbook 


If you wish to unlink the schedule from a runbook at any given 
point, you can select the schedule and then choose More > 
Unlink (Figure 2-6). 


tes 


Schedule 
hI Save X Discarc *** More 


Name oO Delete 
tes 


Ê Unlink 
Last modmeu 





Figure 2-6. Unlinking a schedule 


29 


CHAPTER 2 ™ AZURE AUTOMATION ASSETS 


Modules 


For the runbooks to be executed without any errors, the PowerShell modules 
corresponding to the commands being used should be imported into the Automation 
account. This concept is like that in standard PowerShell, where the respective modules 
should be made available in the PowerShell runtime before executing a PowerShell 
command. Like Runbook Gallery, a PowerShell Module Gallery is available in the Azure 
portal (Figure 2-7). 


| em srgautmn - Modules 


soot (Cis Sh Adlamodde ÇI update Amme Modders — M Bree gallery C) Refresh 


fo Ciencia MAME LAST MOEraD STATUS 
Bl Actrety log Azure ROUT EH PM Available 
zm Accen contecl (LM) Acre Stare aye 200 3:14 PM Available 
- Tags MzueeRMUAubeenation YVANT X334 PI Andate 
K Ciagncse and pie problems AnweRM Compute Bye aT 3:4 PM Auadacie 

Aneen Prahe HAVANT 134 PI Adae 


PROCESS AUTOMATION 


" AmuseRbel Resources 2/21/2047 3:14 ph Auadatlg 
gà Punbook. 


Azure RM Sol arai 2714 PM Aas le 
Tr Jobe 


AnmcRM Storage Az feo? SE PM Avaidable 
D Runbocks Gallery 


Microsoft PowerShell Core Ari 2017 10045 Pr Available 


CONFIGURATION MAHAGENENT : , 
Microsoft PowerShell agnostics Aria 2A T 149 PIA Duadatie 





Figure 2-7. PowerShell module list 


The majority of the required PowerShell modules are readily available in the account 
by default. The Azure team regularly updates the modules. You can keep the modules in 
your account up-to-date by clicking Update Azure Modules. 

You will then get a notification that all modules will be updated to the latest version. 
Click Yes ( Figure 2-8). 


Lipdabe all exiting Azure modules to the letest version 
Thi will update the menting Ame modules to the latet version, The uedate may take several mauti Da you want to continue? Afi paccestó^gl update, for ranbocka That use these module: and have a batid schedule yo will need 
M undici dizi ne - Bois She desechos sa That the updated modules wl be vied Ey Efe rum, 





Figure 2-8. Module update notification 


You can see that the modules are being updated (Figure 2-9). 


+ Add a module 


LAST MODIFIED 





Figure 2-9. Azure modules being updated 
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Once the update is complete, you will be notified that the modules have been 
updated (Figure 2-10). 


+ acca motte QQupedweanre Medun @& to gattery ©) tee 





Figure 2-10. Notification of update completion 


It is recommended to link and unlink any runbook schedules by using these 
modules, and to link them back after the modules are updated. 

If any particular module is not available in the gallery, you can browse the 
PowerShell Gallery, search for the module, and import it. Click the Browse Gallery option 
to access the gallery, shown in Figure 2-11. 


Browse Gallery 


AzureRM.prafile 


Microsoft Azure PowerShell - Profile credential management emdlets for Azure Resource 


Manager 
Tags: Azure ResourceManager ARM Profile Authentication Environment Subscription 
FSMadule 


PSDscResources 
This module contains the standard DSC resources. 


Tage Desiredstatec onfuguration DSC DsCReseuncekit DSCReÁseoure Psiodule 


Azure. Storage 


Microsoft Azure Powershell - Storage service cmdlets. Manages blobs, queues, tables and 


files in Microsoft Azure storage accounts 
Tags Arure Storage Blob Queue Table PSModule 


Microsoft Azure PowerShell - Api Management service omdlets for Azure Resource 
Manager 
Tage Azure ResauresMta nager ARM ApilManagenment Poh le 


Figure 2-11. Azure Automation module gallery 





Created by: azure-sdk 
961827 downloads 
Last updated: 4/5/2017 


Created by; PowerShellTeam 
584451 downloads 
Last updated: 3/8/2017 


Created byt azure-sek 
402930 downloads 
Last updated: 4/5/2017 


Created by: azure-sdk 
261501 Gownloads 
Last updated: 4/5/2017 
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Select the module that you would like to import to view the details, shown in 
Figure 2-12. 


AzureRM.ApiManagement 


pr 


Microsoft Azure PowerShell - Api Management service crodlets Tor Azure Resource Manager 


Created by: àzure-sdk 


Tags: Azure Resourcestanager ARM Aphanagement PSModule Version: 3.5.0 
Dependencies: AzureRM Profile (= 280) 281,501 downloads 
View Source Project Last updated: 4/5/2017 


Learn more 

View in PowerShell Gallary 
Doacurentatian 

Licensing imformation 


Content 
Search bo fitter ems. 
TYPE NAME 
Cmaülat Add-AzureRmApiManagementRedqion 
Cmület Get- AzureftmApiManagementSsoToken 
Cmadléet Mgw- AzurgRmApiManagerentHostnameContiguration 


Cmalat Mew-&rure&RmápsManagementRegion 





Figure 2-12. Viewing the details of a PowerShell module 


In the preceding example, we are trying to import the AzureRM. ApiManagement 
module. This module contains Azure Storage management commands such as Add- 
AzureRmApiManagementRegion,Get-AzureRmApiManagementRegion, and New-AzureRmA 
piManagementHostnameConfiguration. If your runbook uses any of these commands, 
you should import this module to the Automation account before executing the runbook. 
Otherwise, you might get a Command Not Found error. Some of the modules will have a 
dependency on other modules. In this case, the AzureStorage module has a dependency 
on the AzureRM. Profile(=2.8.0) module. Therefore, the module should be imported 
and available in the account, and the version should be 2.8.0. 

Click the Import option to import the module to your account (Figure 2-13). 


AzureRM.ApiManagement 


ES) Import 


Microsoft Azure PowerShell - Api Management service emedlets for Azure Resource Manager 


Created by: azure-sdk 

Tage: Azure ResourceManager ARM ApiManagement PShModule Version: 3.6.0 
Dependencies: AzureRM.Profile (= 2.8.0) 221,501 downloads 
View Source Project Last updated: 4/5/2017 





Learn more 


Figure 2-13. Importing dependent modules 
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You will get a message stating that importing a module might take couple of minutes. 
You will also see warning for any dependencies that need to be updated. You can choose 
to update the dependent modules when you import the new module (Figure 2-14). 


Import 


Importing a module may take 
several minutes. 


This Azure module has dependent 
Azure modules that must be 
updated. Please check the box 
below to update all of the Azure 
modules. 

After successful update, for 
runbooks that use these modules 
and have a linked schedule you will 
need to unlink and re-link the 
schedule so that the updated 
modules will be used by the 


| aqree to update all of the Azure modules 





Figure 2-14. Updating modules during import 


Click the OK button to proceed. 
The progress of the import will be displayed in the portal (Figure 2-15). 
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AzureRM.ApiManagement 


AzureRM.ApiManagement 


Last modified: 4/15/2017 3:49 AM 
Version: 

Sume: Q KB 

Global module: No 


Activities 





Figure 2-15. Module update in progress 


During the import process, the PowerShell cmdlets and metadata will be extracted 
and made available in the Automation account. 

In addition to importing modules from the gallery, you can use your own modules by 
clicking Automation Accounts > Modules > Add a Module (Figure 2-16). 





Figure 2-16. Importing a new Automation module 


The module can be uploaded as a zip file. The name of the module should be the 
same as the zip file (Figure 2-17). 
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Add Module 


| Importing a module may take | 
: several minutes. 


* Upload File (.zip format, 100 MB max size) © 


Select a file a 





Figure 2-17. Uploading a module as a zip file 


Variables 


Variables are, as the name indicates, values that can be provided as inputs to runbooks 
and shared between them. Variables are particularly useful when a certain set of values 
should be shared among multiple jobs or runbooks. 

A variable can also be defined inside a runbook, but the scope of the variable is then 
restricted inside that particular runbook. This is different from variables that are defined 
from the portal, which are persistent outside the scope of the runbook. The values can be 
set by runbooks and used by another runbook or DSC configuration. Since the values are 
persistent, they can also be used by runbooks the next time they are executed 


Creating a Variable from the Portal 


It is quite easy to create a variable from within the portal: 


1. From the Automation account, scroll down to Shared 
Resources » Variables. Then click the Add a Variable option 
(Figure 2-18). 


Automationdemo - Variables 


> Search (Ctri+/) + Add a variable o Refresh 


X Diagnose and solve problems ^N NAME 


No vanables found 
PROCESS AUTOMATION 


ey Runbooks 





Figure 2-18. Adding a new variable 
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2. Enter the Name, Description, Type, and Value (Figure 2-19). 


New Variable 


* Name 


Variable1 


Description 


Test variable 





Figure 2-19. Variable details 


The type of variables can be String, Boolean, DateTime, Integer, or Not Specified. If 
Not Specified is used, the value of the variable will be set as NULL. You can set the value 
of the variable at a later point by using the Set-AzureAutomationVariable PowerShell 
command. The syntax for the command is as follows: 


Set-AzureAutomationVariable 
-AutomationAccountName «String» 
-Description «String» 

-Name «String» 
[-Profile «AzureSMProfile»] 
[<CommonParameters> | 


By default, the variables are not created as encrypted. However, you can choose 


to encrypt the variables, if required, during creation. If encrypted, the variable can be 
retrieved only from within a runbook by using the Get -AutomationVariable activity. 
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Managing Variables by Using PowerShell 


You can create and manage Azure Automation variables by using PowerShell. You should 
be logged in to your Azure account via Azure PowerShell (Figure 2-20). 


Login-AzureRmAccount 





Figure 2-20. Logging into an Azure account via Azure PowerShell 


Provide the Azure login credentials when prompted. 
The Get-AzureRmAutomationVariable command will get the values of a given Azure 
Automation account variable (Figure 2-21). The syntax is as follows: 


Get-AzureRmAutomationVariable 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
[-Name] «String» 
[«CommonParameters»] 





Figure 2-21. Get-AzureRMAutomationVariable command output 


The command pulls out the available variables in the given Automation account. 
You can pull out information on a specific variable independently and store it in 
another variable during runtime by using the commands shown in Figure 2-22. 





Figure 2-22. Variable runtime manipulation 
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Similarly, you can also create new variables via PowerShell by using the New- 
AzureRmAutomationVariable command. The syntax is shown here: 


New-AzureRmAutomationVariable 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
[-Name] «String» 

[-Description «String»] 
-Encrypted «Boolean» 
[-Value «Object» ] 
[<CommonParameters> | 


In Figure 2-23, the command is executed against the target Automation account 
name and resource group with the name and value of the new variable. 





Figure 2-23. Creating a new Automation variable 


You can go back to the portal and check, and the variable will be listed there 
(Figure 2-24). 





Figure 2-24. List of variables in the Azure portal 


The Set-AzureRmAutomationVariable command can also be used to set the value of 
an existing variable (Figure 2-25). 





Figure 2-25. Setting the value of an Azure Automation variable 
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Here you can see that the value of the variable that we originally set from the Azure 
portal is set to Test1. 

You can delete the variables by using the Remove -AzureRmAutomationVariable 
command. The syntax is as follows: 


Remove-AzureRmAutomationVariable 
[-ResourceGroupName] «String» 

-AutomationAccountName] «String» 

-Name] «String» 

-Force] 

-Confirm] 

-Whatlf | 

<CommonParameters> | 


era tre eee 


You can provide mandatory parameters such as Automation account name, resource 
group name, and variable name to delete a variable (Figure 2-26). 


Remove-AzureRmAutomat ionVar iable 





Figure 2-26. Deleting an Azure Automation variable 


Using Encrypted Variables 


Creating encrypted variables is easy from the portal; you set Encrypted to Yes in the 
portal. You will not be able to view the value of the encrypted variable from the portal 
(Figure 2-27). 





sf addavariable ÇO Refresh 


HAME TYPE VALUE 
Variable? String Testi 


Figure 2-27. Encrypted Variable 


The value cannot be retrieved by using the Get -AzureRmAutomationVariable 
command either ( Figure 2-28). 





Figure 2-28. Encrypted variable runtime manipulation 


You can get the value from inside a runbook by using the Get -AutomationVariable 
activity. 
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Let's create a sample runbook to demonstrate this: 


1. Choose Automation Accounts >» Runbooks » Add a 
Runbook. 


2. Selectthe option to create a new runbook rather than 
importing from the gallery, as shown in Figure 2-29. 


Add Runbook Runbook 


Quick Create | * Name 6 


Create a new runbook Testrunbook! 


| Import |  *Runbooktype 6 
Import an existing runbook | PowerShell 


Description 


| Encrypted variable tesi 








Figure 2-29. Creating a new runbook 


3. This opens the Edit PowerShell Runbook pane. Type in 
Get-AutomationVariable <Variablename>. 


4. Figure 2-30 shows the display of the value in the test pane. 


Edit PowerShell Runbook* 


H sae @ Publish X | G ^ Æ Test pane & Feedback 
» BSCMDLETS 1 Get-AutomationVariable Variable3 


I^ Š RUNBOOKS 
> MRASSETS 





Figure 2-30. Azure Automation runbook edit pane 


9. Click the Save option. Then click Test Pane and start the 
runbook. 


There you can see that the activity pulls out the value of the encrypted variable 
(Figure 2-31). 
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Parameters 


No input parameters 


Run Settings 
Run on Azure © 


Using a hybrid runbook 


worker can increase test 
performance. 


Leam more 





Figure 2-31. Azure Automation runbook output 


Connections 


The runbooks need to connect to various resources or external systems, and connection 
assets encapsulate the information required to enable this. The connection information 
could include username/password, subscription IDs, URLs, ports, and so forth. When 
you create the Azure Automation Run As accounts, two connection assets are created by 
default. You can view them from Automation account dashboard by choosing Assets > 
Connections (Figure 2-32). 


| Assets 


LAST FEH FIED 


Cenihicaies - i = = ole : : 
Anrede onean — AnurecIyoxiecertificate By SY 2018 3:50 PM 


Az Rae ennechon AzuntSenacernmnapal Bran 2076 3:480 PM 


162 i2a 


Connections | Variables Credentials 


2 0 x 0: 


Figure 2-32. Azure Automation connections list 





Let's look at these assets so you can understand how the connection assets work; see 
Figure 2-33. 
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Connections AzureRunAsConnect.. # © x 


sf Addaconnecóon €) Refresh H x 


Name 


NAME TYPE LAST MODIFI 
cx) AzureRunAsConnection 


AzureClassicRunAsConnection AzureClassicCertificate 8/39/2016 3:40 PM Last modified 
8/30/2016 3:49 PM 
AzureRunAsConnection AzureSeracePrinapal 8/30/2016 3:40 PM 


AzureSenscePrinc pal 


* Applicationid 


* CertificateThumbonnt 


* Subscriptionid 





Figure 2-33. Connection information for AzureRunAsConnection 


Here you can see the details of the service principal created in Azure AD for the 
Automation Run As account. This information includes the application ID, tenant ID, 
certificate thumbprint, and subscription ID. 

When it comes to the classic connection asset, the parameters will be the 
subscription name, subscription ID, and certificate asset name. This certificate asset is 
also created automatically when you create the Run As account (Figure 2-34). 


Connections 4 AzureClassicRunAsC... »* 


Connection 
ef Addaconnection —( Refresh | Eis W Disc fl Delete 


Name 


HAM TYPE LAST I 
E Monrep AzureclassicRunAsConnection 
AzureClassicRunAsConnection AzureClassicCertificate 6/30/2016 3:40 PM Last modified 
8/30/2016 3:40 PM 
AzureRunAsConnection AzureSenacePrincipal 8/20/2006 3:40 PM 
Descnption 
This connection contains information 
needed to authenticate with Azure so that 
yeu can manage Amure classic resources 


Type 
AxureclassicCertificate 


* SubscriptionMame 
Visual Studio Enterprise 


* Subscriptionid 
uendere et e eran 


* CertificateAssetName 
AzureclassicRunAscertificate 





Figure 2-34. Connection information for AzureClassicRunAsConnection 
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Each connection is associated with a connection type, and each connection type 
is defined in integration modules. You can make your own PowerShell modules and 
include them in Azure Automation as integration modules. In addition to the PowerShell 
module, the integration module can optionally contain a metadata file that specifies 
the connection type to be used in Azure Automation. Integration modules provide the 
flexibility of bringing your own PowerShell modules to Azure when the required modules 
are not available by default. The modules that are available by default are called global 
modules. The modules imported by users takes precedence over the global modules. 


Creating a New Connection 


From the Automation account dashboard, choose Assets > Connections > Add a 
Connection. Depending on the type of connection selected, you need to provide 
additional inputs (Figure 2-35). 


New Connection 


* Name 
testconnection1 v 


Description 


* Type 0 


Azure v 


* AutomationCertificateName 


* SubscriptionID 





Figure 2-35. New connection details 


In this example, I have selected the connection type as Azure, and this option 
prompts for entering the Automation certificate name and the subscription ID. 
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Managing Connections by Using PowerShell 


You can use Azure PowerShell to manage connection assets. 


Get-AzureRmAutomationConnection 


The Get -AzureRmAutomationConnection command gets information about connections 
in each automation account (Figure 2-36). 
The syntax of this command is as follows: 


Get-AzureRmAutomationConnection 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
[-ConnectionTypeName] «String» 

[ <CommonParameters> | 


Or: 

Get-AzureRmAutomationConnection 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
[-Name] «String» 

[ <CommonParameters> | 


rem32> Get-AzureRmAutomationConnection -Resourc 





Figure 2-36. Getting connection information via Azure PowerShell 


If you run the command with the Automation account name and resource group name 
as parameters, all the connection information in that Automation account is pulled out. 


New-AzureRmAutomationConnection 


The New-AzureRmAutomationConnection command is for creating a new connection. 
The syntax is as follows: 


New-AzureRmAutomationConnection 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
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[-Name] «String» 

[-ConnectionTypeName] «String» 
[-ConnectionFieldValues] «IDictionary» 
[-Description «String»] 
[«CommonParameters»] 


Let's create a new connection asset by using PowerShell. In the first command, the 
connection field values (the certificate name and the subscription ID) are provided. This 
information is called in the New-AzureRmAutomationConnection command to create the 
connection asset (Figure 2-37). 


New-AzureRmAutomationConnection 





Figure 2-37. Creating a new connection via Azure PowerShell 


You can see that the asset is listed in the portal after it's created (Figure 2-38). 


se Add a connection () Refresh 


AzureclassicRunAsConnection AzureclassicCertificate 


AzureRunAsConnection AzureServicePrincipal 


Connection Azure 





Figure 2-38. Connection list in the Azure portal 


Remove-AzureRmAutomationConnection 


As the name indicates, the Remove-AzureRmAutomationConnection command deletes an 
existing connection from the Automation account. 
The syntax is as follows: 


Remove-AzureRmAutomationConnection 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
[-Name] «String» 
| -Force] 
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[ -Confirm|] 
[-WhatIf] 
[«CommonParameters»] 


The command deletes the newly created connection asset, as shown in Figure 2-39. 


Remove-AzuregRmAutomationconnectiaon 





Figure 2-39. Removing a connection via Azure PowerShell 


Set-AzureRmAutomationConnectionFieldValue 


Another command, Set-AzureRmAutomationConnectionFieldValue, can set the values 
of a field for a connection asset. 
Here is the syntax: 


Set-AzureRmAutomationConnectionFieldValue 
[-ResourceGroupName] «String» 
[-AutomationAccountName] «String» 
[-Name] «String» 

-ConnectionFieldName «String» 
-Value «Object» 
[ <CommonParameters> | 


In the example in Figure 2-40, the command is used to update the certificate name of 
the connection asset named Connection2. 





Figure 2-40. Setting a connection value via PowerShell 


Get-AutomationConnection 


The activity named Get-AutomationConnection can be used to get information about the 
connection from within a runbook. 

Let’s create a runbook with the type PowerShell to test this out. Call the activity 
with the connection name and parameter to retrieve information about the connection 
(Figure 2-41). 
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Edit PowerShell Runbook 


Publish X E E Testpane — WM Feedback 
l^ HRCMDLETS 1 Get-AutomationConnection Connection2 
|^ a RUNBOOKS 
|^ M ASSETS 





Figure 2-41. Azure Automation runbook edit pane 


You can save the runbook and execute it in the Test pane to view the results 
(Figure 2-42). 


P San BH 


Parameters 


No mput parameters 


Run Settings 
Run on Azure © 


[A 
Using a hybrid runbook “= 


€ worker can increase test AutomationCertificatceName "AzureClassicRunAsCertificate" 


prone SubscriptionID Sa8S0d8e-29d4-4fea-850F-1340392F2a99 





Figure 2-42. Runbook test result 


Certificates 


Certificate assets authenticate the access of runbooks to various resources in Azure, 
including ARM and classic resources. When the Azure Automation Run As account is 
created, two certificate assets are created by default. You can view these assets from the 
Automation account dashboard by choosing Assets > Certificates (Figure 2-43). 


Automationdemo - Certificates 


ArureClasscRunAsC erb^icate 


SHAREO RESOURCES 


AriureRu^AsCertih-ate 


> 


< Hybnd worker 


"f hs pn 
y “> 





Figure 2-43. Azure Automation certificates list 


47 


CHAPTER 2 ™ AZURE AUTOMATION ASSETS 

AzureClassicRunAsCertificate, as the name indicates, authenticates access to 
manage classic resources. AzureRunAsCertificate authenticates access to manage ARM 
resources. 


You can also add new certificates by clicking Add a Certificate to access the Add a 
Certificate dialog box (Figure 2-44). 


Add a certificate 


* Name 


ClientCertificateName 


Description 


* Upload a certificate file (.cer,.pfx) 


ClientCertificateName.pfx v Ell 


X o 


ClientCertificateName.pfx 


* Password 


* Exportable 





Figure 2-44. New certificate details 


You can choose to upload a .cer file ora . pfx file. If you upload a . pfx file, you will 
get an option to enter a password and set whether the value is exportable. 

A certificate can be uploaded via PowerShell as well, by using the New- 
AzureRmAutomationCertificate command (Figure 2-45). 
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The syntax is as follows: 


New-AzureRmAutomationCertificate 
[-ResourceGroupName] «String» 
-AutomationAccountName] <String> 

-Name] <String> 

Path] <String> 
Description <String> | 
Exportable ] 

Password <SecureString> | 
<CommonParameters> | 


tpwd = ConvertTo-SecureString -< 


$certName $certPath 


iurceGroup O 
zureRmAutomationCertificate ~ 


$ResourceGroup 


mari 
wu 





Figure 2-45. Creating a new certificate via Azure PowerShell 


Execute the command with certificate information and Automation account 
information as parameters. 

You can use the certificate from within a runbook by using the 
Get-AutomationCertificate activity. Create a new runbook and call the activity with 
certificate name as a parameter (Figure 2-46). 


Edit PowerShell Runbook 


Esse  Q Publish XM Revertto published (@) Checkin ME Testpane W Feedback 
» ESCMDLETS 1 Get-AutomationCertificate ClientCertificateName 


k © RUNBOOKS 
>» me ASSETS 





Figure 2-46. Azure Automation runbook edit pane 
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You can run a test execution to review the output values (Figure 2-47). 


b sat E 


Parameters 


No input parameters 


Run Settings 


Run on Azure © 


Thumbprint Subject 
7 
Using a hybrid runbook (^ 
worker can increase test 32602A3CASD2CB1B394EA436D67EC13ECEEF3SCFD CN=ClientCertificateName 
performance. 


Leam more 





Figure 2-47. Test execution output 


Credentials 


The credential asset in Azure Automation is same as the PowerShell PSCredential object 
holding security credentials for authenticating against a service. These credentials can be 
called by runbooks for authentication purposes. 

Creating credential objects from the portal is straightforward. Go to the Azure 
Automation dashboard and choose Assets > Credentials > Add a Credential to access 
the New Credential dialog box (Figure 2-48). 
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New Credential 


* Name 


TestCred 


Descnption 


* User name 


user1 


* Password 


* Confirm password 





Figure 2-48. New credential details 


You can also provide a username in the format domainNusername or 
username@domain. 

The value of a credential can be viewed by using the Get-AutomationPSCredential 
workflow from within a runbook. 

Similar to the examples mentioned earlier for other assets, you can create a runbook 
with the Get-AutomationPSCredential activity and the credential name (Figure 2-49). 
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Edit PowerShell Runbook* 





H ave C Publish ) I Test pane oe Feedback 
b HÉCMDLETS 1 Get-AutomationPSCredential TestCred 
> ©. RUNBOOKS 


b ia ASSETS 





Figure 2-49. Azure Automation Runbook edit pane 


Execute the runbook to get values of the credentials. Note that the password will not 
be displayed because it is stored as secure string (Figure 2-50). 


P stat B 


Parameters 


No input parameters 


Run Settings 


Run on Azure © 


Password 


Using a hybrid runbook 


worker can increase test 
performance. 


Learn more 





Figure 2-50. Azure Automation runbook output 


Nested Runbooks 


Along with the various Automation assets, nested runbooks are another Azure 
Automation feature that enables modularity. You can define commonly executed tasks 
as arunbook and then call it as a child runbook from various parent runbooks. There are 
two ways to call a child runbook: either by invoking the child runbook inline or by using 
the Start-AzureRMAutomationRunbook PowerShell cmdlet. 


Invoking a Child Runbook Inline 


Runbook inline invocation is the synchronous execution of a child runbook from a 
parent runbook. The parent runbook will wait for the execution of child runbook to be 
completed before moving on to the next line of code. Only a single Azure Automation job 
is created that takes care of the tasks defined in both child runbook and parent runbook. 
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The child runbook that is invoked inline should be published before the parent runbook. 


You can store the output of a child runbook in a variable while invoking it inline. The 
parameters for a child runbook can also be passed on by using variables. However, the 
name of a child runbook cannot be passed on using a variable and should be explicitly 


named inside the parent runbook. The execution of child and parent runbook is covered 


in a single job, which makes debugging easier. 


From the edit pane of the parent runbook, you can directly add a child runbook from 


the same Automation account via the Add to Canvas option (Figure 2-51). 


Edit PowerShell Runbook* 
MestedRunbteok-Irmeoke 


FA save @ Publish & d EE Testpane — Wl Feedback 


IE Ee CMDLETS 
- RUNBOOKS 
* All 
AzureAutomationTutorial 
AzureAutomation | utoralScript 
AzureClassicAutomation Tutorial 
AzureClassicAutomation Tutorial 
Nestedkunbook-Invoke 
StopAzureV2 Vm 
testpowershell EA 
ASSETS eer 





Figure 2-51. Adding a child runbook to the canvas 


This option will add the child runbook to the parent runbook from which it is 
invoked (Figure 2-52). 


Edit PowerShell Runbook 


& Publish 9€ Revert to published e RS Test pane L Feedback 


E CMDLETS 





RUNBOOKS 


Figure 2-52. Inserting the child runbook 
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To keep the example simple, I have included an echo command in the child runbook 
so that the execution order is clear (Figure 2-53). 


Edit PowerShell Runbook 


& Publish x Revert to published DE ^ Test pane uw Feedback 


>» Te MEAE Pc! 





Figure 2-53. Contents of the child runbook 


Publish the child runbook first, followed by the parent runbook. Now start the parent 
runbook and review the output (Figure 2-54). 


E Output 
; NestedRunbook-Invoke 8/30/2017 5:18 AM 


Nested Runbook invoked 


Nested Runbook executed 





Figure 2-54. Invoke method output 


The child runbook is executed from within the parent runbook, and we can see the 
results in the same output window. 

If you check the jobs associated with the child runbook, no jobs will be listed 
(Figure 2-55), because the execution happens from within the parent runbook job. 


testpowershell - Jobs 
Runbook 
o Refresh 


DE STATUS 


=| Activity bog No jobs found. 





Figure 2-55. The child runbook’s job list 
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Starting a Runbook by Using 
Start-AzureRMAutomationRunbook 


Start-AzureRMAutomation command can be used to initiate an asynchronous execution 
of a child runbook when it is called from within the parent runbook. Any runbook 
execution initiated by using Start-AzureRMAutomationRunbook will run as a separate 
job, independent of the parent runbook from which it is called. The name of the runbook 
can be passed on as a parameter, and the job status can also be stored in a variable. 
While the parent runbook will continue to execute the next line of code after starting 
the child runbook, the job status can be leveraged to delay this execution. The Get- 
AzureRMAutomationJobOutput command can be used to extract the output of a child 
runbook that is started with the Start -AzureRMAutomationRunbook command. The 
debugging of the child runbook and parent runbook will be slightly difficult compared to 
the invoking method, because multiple jobs are created during the execution. Unlike the 
previous option, the child runbook in this method is not limited to the same Automation 
account. You can call runbooks from different Automation accounts or even different 
subscriptions, provided the connection asset to that subscription is available. 

The contents of a sample parent runbook that calls a child runbook by using Start- 
AzureRMAutomationRunbook is shown here: 


$connectionName - "AzureRunAsConnection" 
try 
{ 


# Get the connection "AzureRunAsConnection 
$servicePrincipalConnection=Get-AutomationConnection -Name 
$connectionName 


"Logging in to Azure..." 

Add-AzureRmAccount ` 
-ServicePrincipal ` 
-TenantId $servicePrincipalConnection.TenantId ' 
-ApplicationId $servicePrincipalConnection.ApplicationId ' 
-CertificateThumbprint $servicePrincipalConnection. 
CertificateThumbprint 


j 
catch { 
if (!$servicePrincipalConnection) 
{ 
$ErrorMessage = "Connection $connectionName not found." 
throw $ErrorMessage 
} else{ 
Write-Error -Message $ .Exception 
throw $ .Exception 
j 
j 
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#Start runbook by using the Start-AzureRmAutomationRunbook command with the 
#resource group name, runbook name, and automation account name as input 
parameters 

Start-AzureRmAutomationRunbook -ResourceGroupName 'sccmrg' -Name 
"testpowershell' -AutomationAccountName 'hybriddemo' 


As you can see in this code, it is necessary to connect to the Azure subscription 
first by using the AzureRunASConnection credentials before you can use the Start- 
AzureRmAutomationRunbook command. 

The output of the runbook is shown in Figure 


n tri ra AE AM 


Logging in ta Arure... 


Environments Context 


([AzureCloud, Arurecloud], [ArureChinaCloud, AzureChimaCcloud], [AzureUSGovernment, ArureUSGovernment]) Microsoft.Azur... 


ResourceGroupName I sccmrg 
AutomationAccountName : hybriddemo 

JobId : UdO5200-f69f-4c32-2547-205fOcf50751 
CreationT ime : Bf oO/2047 5:16:54 AM +00:08 
Status | 

Statushetails : Hone 

StartTine 

EndT ime 

Exception i 

LastModifiedTime : §/J0/20i7 5:16:54 AN S Hn 
LastStatusModifiedTime : 8/28/2017 5:16:54 AM +00:00 
JobParane ters AE 

RunbaookName = testpowershell 
itybridBorker I 





Figure 2-56. Runbook output 


Note that the output of the child runbook is not listed. While using the invoke 
method, both parent and child runbook were executed from the same job, and you could 
see the output in one place. 

However, if you check the job list associated with the child runbook, you can see that 
it has been executed separately (Figure ). 





Figure 2-57. Child runbook job list 
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You need to check the job details of the child runbook to view its output (Figure 2-58). 


E Output 


testpowershell 8/30/2017 6:16 AM 


Nested Runbook executed 





Figure 2-58. Child runbook output 


Summary 


This chapter explained the various Azure automation assets, their properties, and how to 
leverage them while creating runbooks. This chapter also explained how to implement 
modularity by leveraging nested runbooks. The next chapter explores the various Azure 
runbook types in detail. 


Additional References 


https://azure.microsoft.com/en-in/blog/getting-started-with-azure- 
automation-automation-assets-2/ 


https://docs.microsoft.com/en-in/azure/automation/automation-credentials 
https://docs.microsoft.com/en-in/azure/automation/automation-certificates 


https://docs.microsoft.com/en-in/azure/automation/automation-schedules 
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CHAPTER 3 


Azure Automation 
Runbook Types 


Azure Automation uses Four types of runbooks, as briefly introduced in Chapter 1: 
PowerShell, PowerShell Workflow, Graphical and Graphical PowerShell Workflow. This 
chapter offers a deep dive into each of these runbook types and shows how to get started 
with them. You'll also learn how to create, import, edit, test, and publish runbooks in 

an Automation account. Note that the Graphical and Graphical PowerShell Workflow 
runbooks have almost similar properties with exception that the latter uses PowerShell 
Workflow in the backend. Hence we will be focussing only on Graphical runbooks among 
the two in this chapter. 


PowerShell Runbooks 


PowerShell runbooks are PowerShell scripts that can be executed against Azure resources. 
You can either import your own PowerShell script or use one from the PowerShell Gallery 
or Script Center. After importing the runbooks, you can edit them directly from the 
Runbook Gallery. 

Let’s import a PowerShell script directly from the Azure gallery. Go to Automation 
dashboard and choose Runbooks » Browse Gallery. For the Gallery Source, select Script 
Center, Type as PowerShell script and Publisher as Microsoft (Figure 3-1). 
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Gallery Source 


| Script Center 


Type 
v PowerShell script 


L] Graphical runbook 


LT PowerShell workflow 


Publisher 
v Microsoft 


Community 





Figure 3-1. Selecting the PowerShell Script option 


I chose Microsoft as the Publisher for this demonstration. 

Select the runbook to be imported. In this case, I am going to import a simple 
PowerShell runbook from the gallery that starts Azure VMs in a subscription or cloud 
service (Figure 3-2). 





Figure 3-2. Selecting a sample runbook 


Once the runbook is imported, by default the edit pane will open. On the left side 
of the edit panel, you can view all the available components for the runbook, listed as 
CMDLETS, RUNBOOKS, and ASSETS (Figure 3-3). 
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"ET Qv Publish X 


> BS CMDLETS 
> © RUNBOOKS 


> MRASSETS 





Figure 3-3. Runbook components 


If you expand CMDLETS, you can view details of all the modules imported for that 
runbook (Figure 3-4). 


y EA CMDLETS — 
Azure 
Azure.Storage 
AzureRM.ApiManagement 
AzureRM.Automation 
AzureRM.Compute 
AzureRM.Profile 
AzureRM.Resources 
AzureRM.Sql 
AzureRM.Storage 
Microsoft.PowerShell.Core 
Microsoft.PowerShell.Diagnostics 


Microsoft.PowerShell. Management 


Microsoft.PowerShell. Security 


Microsoft.PowerShell. Utility 
Microsoft.WSMan.Management 


Orchestrator AssetManagement.Cmdle 





Figure 3-4. Available modules 


If you want to customize the runbook and add a command from one of those 
modules, you can click the command and select the Add to Canvas option (Figure 3-5). 
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— ] 


[ — 
E Azure 3 Connects to Azur 
* Add-AzureAccount e 4 
ServicePrincipal « Add to canvas 





User ° 7 


Figure 3-5. Adding the command to the canvas 


This copies over the command with the required parameters to the edit pane on the 
right-hand side. You can update the parameter values and integrate the command with 
the script logic. This feature is particularly useful when you are creating a new runbook 
on your own. 

The RUNBOOKS component in the left panel lists the runbooks that are currently 
available in the Automation account (Figure 3-6). 


Ai 4 .DESCRIPT 


5 Enume 
Add-DataDiskToRmVM 


AzureAutomationTutorial « Add to canvas 
AzureAutomationTutorialScript ***7 
AzureClassicAutomationTutorial * * * 
AzureClassicAutomationTutorial * * * 


CalculateBlobCost 


scaleUpV2Vm 





Figure 3-6. Adding the runbook to the canvas 


If you want to call any of these runbooks from within your Automation account, 
you can click that runbook and choose Add to Canvas. The runbook being inserted will 
act as a child runbook. There are certain restrictions on what kind of runbook can act as 
a child runbook. PowerShell-based runbooks such as pure play PowerShell runbooks 
and Graphical runbooks can call each other. The Workflow runbooks (PowerShell 
Workflow and Graphical PowerShell Workflow runbooks) can call each other. However, 
to call a PowerShell runbook from within a PowerShell Workflow runbook, the Start- 
AzureRMAutomationRunbook command should be used, and vice versa. 

Let's insert a PowerShell child runbook from within another PowerShell runbook 
(Figure 3-7). 
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CalculateBlobCost 


scaleUpV2Vm Add to canvas 


Start-AzureV2VMs 35 .\CalculateBlobCost.ps1 





Figure 3-7. Adding a child runbook to the canvas 


You can see that it is inserted as .\CalaculateBlobCost.ps1. 


In the Assets section, you can view all assets related to that specific Automation 
account (Figure 3-8). 


^" BASSETS 
Variables 
Connections 


Credentials 





Figure 3-8. Runbook Assets list 


You can add the assets to the runbook again by selecting the Add to Canvas option. 
When you insert the assets, they will be inserted using the corresponding activity 
(Figure 3-9). 


Get-AutomationCertificate -Name 'AzureClassicRunAsCertificate' 


Get-AutomationPSCredential -Name 'testcred' 


Get-AutomationConnection -Name 'AzureClassicRunAsConnection' 





Figure 3-9. Assets inserted to canvas 


As you can see, editing the runbooks from the portal is thus made easy with many 
point-and-play features that help you customize the runbooks. 

The best practice while creating runbooks is to give a description at the beginning 
of the runbook. Let's take a look at the runbook that we imported. It starts with the 
description that explains the runbook requirements in terms of inputs and expected 
outputs (Figure 3-10). 
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{Ë 
2 SYNOPSIS 
Comnect& to Azure and starts of all Wie in the specified Azure subscription or resource group 


> DESCRIPTION 
This runbook connects to Azure and starts all Wis in an Azure subscription or resource group 
You can attach a schedule to this runbook to run if at a xpecific time. Mote that this runbook does not start 
Azure classic Wis. Use httpsi//gallery.technet. microsoft com/scriptcenter/5tart -Arurc-Classic-VMs-üecf746b for that, 


REQUEREE: AUTOMATION ASSETS 
I: An Automation variable asset called "ArzuresSubseriptionId" that contains the GUID for this Azure subscription. 

To use an asset with a different name you can pass the asset name as a runbook input parameter or change the default value for the input parameter. 
2. An Automation credential asset called "Arurecredentlal" that contalns the Azure AD user credential with authorization for this subs: ript lon 

To wie an asset with a different nase you can pads the asset mame às à runbook input parameter or change the default value for the input parameter. 





Figure 3-10. Runbook description 


Before starting the runbook, the parameters can be defined. This is a recommended 
best practice if you want to reuse the runbook with different values each time that you run 
it (Figure 3-11). 


36 param ( 
37 [Parameter(Mandatory-$false)] 
38 [String] #AzureCredentialAssetName = 'AzureCredential', 
39 
[Parameter(Mandatoryz£false)] 


[String] $AzureSubscriptionIdAssetName = 'AzureSubscriptionId', 


[Parameter(Mandatory-$false)] 
[String] $ResourceGroupName 





Figure 3-11. Runbook parameters 


Parameters are defined inside a param statement. You can indicate whether the 
parameters are mandatory. In this case, the parameter is not mandatory, and it will use 
the default values provided (AzureCredential and AzureSubscriptionId). If no default 
values are provided, as in the case of the parameter $ResourceGroupName, then a null 
value will be used. All these parameters are of the type String; hence the inputs provided 
during execution should be of the type String. The type will differ based on the input 
values that you want to provide. For example, if you are providing numeric values, you 
might want to add a parameter of type int. 

Similarly, the OutputType command specifies the type of data returned by the script 
(Figure 3-12). 


# Returns strings with status messages 


[OutputType([String]l)] 





Figure 3-12. Runbook output type 


The Get-AutomationPSCredential activity is used here to get values of the 
Azure credential asset and pass it on to the Add -AzureRMAccount command for the 
authentication against the Azure subscription (Figure 3-13). 
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$Cred = Get-AutomationPSCredential -Name $AzureCredentialAssetName -ErrorAction Stop 


¢null = Add-AzureRmAccount -Credential $Cred -ErrorAction Stop -ErrorVariable err 
if($err) ( 
throw $err 


) 


$SubId = Get-AutomationVariable -Name $AzureSubscriptionIdAssetName -ErrorAction Stop 





Figure 3-13. Get Automation Credential asset values 


The subscription ID is again obtained from a variable asset. 

Now the script moves on to the logical flow, wherein the target VMs are retrieved 
by using the Get -AzureRmVM command and then started by using the Start -AzureRmVM 
command (Figure 3-14). 


# If there is a specific resource group, then get all VMs in the resource group, 
# otherwise get all VMs in the subscription. 
if ($ResourceGroupName) 


- Get-AzureRmVM -ResourceGroupName $ResourceGroupName 


Get-AzureRmVM 


# Start each of the VMs 
foreach ($VM in $VMs) 


{ 
$StartRtn = $VM | Start-AzureRmVM -ErrorAction Continue 


if ($StartRtn.Status -ne 'Succeeded') 
( 


# The VM failed to start, so send notice 

Write-Output ($VM.Name + " failed to start") 

Write-Error ($VM.Name + " failed to start. Error was:") -ErrorAction Continue 
Write-Error (ConvertTo-Json $StartRtn.Error) -ErrorAction Continue 


} 


else 


{ 
# The VM stopped, so send notice 


Write-Output ($VM.Name + " has been started") 





Figure 3-14. Runbook logical workflow 


As you can see in the example, PowerShell scripts that you might be running from 
on-premises can be used as a runbook in Azure with minimal modification. 
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PowerShell Workflow Runbooks 


To create a new PowerShell Workflow-based runbook, go to your Azure Automation 
account and choose Runbooks > Add a Runbook. You can select the Quick Create option 
and set the runbook type as PowerShell Workflow. 

PowerShell workflows are based on Windows Workflow Foundation. PowerShell 
Workflow based runbooks are slightly complex when compared to PowerShell runbooks 
and needs additional changes to convert the PowerShell script to a workflow. It is 
recommended to use workflows when you need checkpoints within the script or failure 
recovery, for example. 

One visible difference between PowerShell runbooks and PowerShell Workflow- 
based runbooks is the usage of the Workflow keyword. The syntax is as follows: 


Workflow «workflowname» 


{ 


<Commands> 


j 


The workflowname should be same as the runbook name. A workflow consists 
of activities executed one after the other. The PowerShell cmdlets are automatically 
converted to activities during execution. 


InlineScript Activity 


Some cmdlets that cannot be converted to an activity are run as is, using InlineScript. 
However, some cmdlets are excluded from this process and cannot be executed from 
within the script. You will get error messages if you try running those cmdlets from 
within the runbook directly. Hence an InlineScript block should be declared, and the 
commands should be executed from within the script block. The variables/parameters 
declared in the runbook elsewhere are not available inside the InlineScript block by 
default. If you want to call them within the InlineScript block, use the $Using scope 
modifier. A sample InlineScript block is shown here: 


InlineScript{ 


$Vnet -$Using:Vnet 
$ResourceGroup = $Using: ResourceGroup 


$vnet - Get-AzureRmVirtualNetwork -Name $VNet -ResourceGroupName 
$ResourceGroup 


j 


This script is calling the parameters $Vnet and $ResourceGroup declared outside the 
InlineScript block with the $Using scope definition. 

Though InlineScript blocks are useful in many scenarios, some features of the 
workflow such as parallel execution and checkpoints are not available inside them. 
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Parallel Processing in the Workflow 


One of the key features of workflows is the ability to execute activities in parallel. These 
activities should be defined inside a parallel script block inside the workflow: 


Workflow test 
parallel { 


Get-Process -Name PowerShell* 


Get-Service -Name s* 


j 
Write-output "Tasks completed" 


j 


Here the Get -Process and Get-Service commands are executed in parallel. Then 
the parallel block is exited, and the command to write the output is executed. 

If you want to execute a set of commands against few targets concurrently, use the 
foreach -parallel construct. The syntax is as follows: 


foreach -parallel ($«item» in $<collection>{ 
sequence { 


«Activity1» 
«Activity2» 


j 


Here Activity1 and Activity2 are executed against each item in the collection in 
parallel. However, their execution order against any particular item will be sequential. 


Checkpoints in the Workflow 


While running the activities in a workflow, exceptions could be thrown. Instead of 
executing the entire workflow from the beginning, you might want to resume the workflow 
from the point where the exception was thrown. Checkpoints are placed in the workflow to 
enable this. The command used is checkpoint-workflow. The syntax is as follows: 


«Activity1» 
checkpoint-workflow 


«Activity2» 


If an exception happens after Activity1, the workflow will start off from Activity2 
when you execute the workflow the next time. 


67 


CHAPTER 3 ™ AZURE AUTOMATION RUNBOOK TYPES 


Sample Use Case 


The use case that I am going to discuss here is automated provisioning of VMs with the 
number of data disks that you define. You can also specify the size of the data disks to 

be provisioned. In Azure, you can attach data disks from the portal only after the VM 
creation. Here we are automating the same process, wherein the VMs can be provisioned 
with data disks already attached. 

There is no runbook readily available in the gallery to do this task. Therefore, an 
Azure PowerShell script to create a new Azure VM in the ARM portal was tweaked to 
achieve this: https: //msdn.microsoft.com/en-us/library/mt603754. aspx. 

The tweaks include the following: 


Converted the PowerShell script to workflow. 
Minor changes to use existing storage and network. 
Commands to add data disk. 


Had to introduce InlineScript in the workflow so that the 
PowerShell commands are executed independently. If this is 
not done, it will throw errors due to issues in data conversion. 


Introduced basic for loop to add data disks based on 
provisioning requirements. 


Here is the runbook: 


Runbook: 


workflow dynamicDDwithparamter 


{ 
param ( 
# If you do not enter anything, the default values will be taken 
# VM name, availability set, and NIC card name 
[parameter (Mandatory=$true) ] 
[String ]$VMName, 
[parameter (Mandatory=$true) ] 
[String ]$ComputerName, 
[parameter (Mandatory=$true) ] 


[String ]$AvailabilitySetname, 
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[ parameter (Mandatory=$true) | 

[String ]$InterfaceName, 

## Compute - Name of VM to be created,Vm size, data disk name 
[parameter(Mandatory-$true)] 
[String]$UserName, 
[parameter(Mandatory-$true)] 
[String]$Password, 

## Storage - Name of existing storage 
[parameter(Mandatory-$true)] 
[String]$StorageName = "testsql295p", 

## Global - Uses an existing resource group 
[ parameter (Mandatory=$true) | 

[String ]$ResourceGroupName = "autotest", 

[ parameter (Mandatory=$true) | 

[String ]$Location = "WestEurope", 


## Network - Name of existing network. This should match the network 
f#settings of other VMs in the target availability set 


[ parameter (Mandatory=$true) | 

[String ]$SubnetiName = "Subnet1", 

[ parameter (Mandatory=$true) | 

[String ]$VNetName = "VNet10", 

[ parameter (Mandatory=$true) | 

## Datadisk - Provide number of data disks and size of the disks 
[Int]$Disknumber , 


[ parameter (Mandatory=$true) | 
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[Int ]$DisksizeinGB , 
## Compute - VM size 
[parameter (Mandatory=$true) ] 
[String]$VMSize = "Standard A2" 
) 
InlineScript{ 
$VMName =$Using: VMName 
$StorageName = $Using:StorageName 
$ResourceGroupName = $Using:ResourceGroupName 
$Location = $Using:Location 
$InterfaceName = $Using:InterfaceName 
$SubnetiName = $Using:SubnetiName 
$VNetName = $Using:VNetName 
$ComputerName = $Using:ComputerName 
$VMSize = $Using:VMSize 
$AvailabilitySetname = $Using:AvailabilitySetname 
$UserName = $Using:UserName 
$Password - $Using:Password 
$Disknumber - $Using:Disknumber 
$DisksizeinGB -$Using:DisksizeinGB 
$connectionName - "AzureRunAsConnection" 
# Get the connection "AzureRunAsConnection 
$servicePrincipalConnection-Get-AutomationConnection -Name 
$connectionName 


"Logging in to Azure..." 
Add-AzureRmAccount ` 


-ServicePrincipal ` 
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-TenantId $servicePrincipalConnection.TenantId ' 
-ApplicationId $servicePrincipalConnection.ApplicationId ' 


-CertificateThumbprint $servicePrincipalConnection. 
CertificateThumbprint 


$0SDiskName = $VMName + "OSDisk" 
$dataDiskName = $VMName + "DataDisk" 


$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName 
$ResourceGroupName -AccountName $StorageName 


"Collected storage account details ... 
# Network - Creates Public IP, NIC card, and get WNet details 
“configure NIC..." 


$PIp = New-AzureRmPublicIpAddress -Name $InterfaceName -ResourceGroupName 
$ResourceGroupName -Location $Location -AllocationMethod Dynamic -Force 


$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName 
$ResourceGroupName 


$subnetconfig = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet 
$Interface = New-AzureRmNetworkInterface -Name $InterfaceName 
-ResourceGroupName $ResourceGroupName -Location $Location -SubnetId $VNet. 
Subnets[0].Id -PublicIpAddressId $PIp.Id -Force 
# Compute configuration 
## Set up local VM object 

“creating VM object properties..." 


$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force 


$mycreds = New-Object System.Management.Automation.PSCredential ($UserName, 
$secpasswd) 


$AvailabilitySet - Get-AzureRmAvailabilitySet -ResourceGroupName 
$resourcegroupName -Name $AvailabilitySetname 


$VirtualMachine - New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize 
-availabilitysetID $AvailabilitySet.id 


$VirtualMachine - Set-AzureRmVMOperatingSystem -VM $VirtualMachine -Windows 


-ComputerName $ComputerName -Credential $mycreds -ProvisionVMAgent 
-EnableAutoUpdate 
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$VirtualMachine = Set-AzureRmVMSourceImage -VM $VirtualMachine 
-PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2- 
Datacenter -Version "latest" 


$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id 
$Interface.Id 


$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + 
$OSDiskName + ".vhd" 


$VirtualMachine = Set-AzureRmVMOSDisk -VM $VirtualMachine -Name $0SDiskName 
-VhdUri $0SDiskUri -CreateOption FromImage 
# Attach Data Disks 


For ($i-1; $i -le $Disknumber; $i++) { 
$dataDiskName = $dataDiskName + $i 


$DataDiskVhdUriO1 = $StorageAccount.PrimaryEndpoints.Blob.ToString() + 
"vhds/" + $dataDiskName + ".vhd" 


$VirtualMachine = Add-AzureRmVMDataDisk -VM $VirtualMachine -Name 
$dataDiskName -Caching 'ReadOnly' -DiskSizeInGB $DisksizeinGB -Lun $i 
-VhdUri $DataDiskVhdUriO1 -CreateOption Empty 


$dataDiskName = $VMName + "DataDisk" 


j 


"created VM object properties..." 
## Create the VM in Azure 
"creating Virtual machine..." 


New-AzureRmVM -ResourceGroupName $ResourceGroupName -Location $Location -VM 
$VirtualMachine 


"created Virtual machine..." 


Graphical Runbooks 


Graphical runbooks use a point-and-play model, which makes it easier for 
administrators to create and execute them with minimal PowerShell knowledge. Even 
though Graphical runbooks use PowerShell under the hood, the process is transparent 
to the user. 
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You can either import a runbook from the gallery or create a new one from your 
Automation account by choosing Runbooks > Add a Runbook. Set the runbook type 
to Graphical Workflow. The library items on the left panel are same as discussed earlier 
for the PowerShell runbook, except that it has an additional RUNBOOK CONTROL item 
available (Figure 3-15). 


^ BS CMDLETS 


> Po RUNBOOKS 


P EE ASSETS 


v tt RUNBOOK CONTROL 
Code 


Junction 





Figure 3-15. Runbook control asset 


Runbook control activity includes Code and Junction activity types. The Code activity 
can be used when you want to insert a set of PowerShell commands in the workflow. If 
you add the code to the canvas and edit the same, you will get an option to insert the 
PowerShell cmdlets (Figure 3-16). 


PowerShell code @ 


Name 


PowerShell code 


* Label © 


Code 


Comment 


Convert exceptions to errors @ 


Code 
Author activity logic 


Retry behavior 


Configure retry behavior 





Figure 3-16. Code activity 
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You can also configure a retry logic for the code block (Figure 3-17). 


Enable retry & 


Yes Ha 
Mame 
Powershell code Delay before each retry attempt © 


ü Seconds 
* Label @ 


Code Retry until this condition is true @ 


SRetryData.NumberOfAttempts -ge 10 # retry 10 times 


Comment 


Convert exceptions to errors & 
Yes 


Code 
Author activity logic 
Examples that can be used in retry condition: € 
Retry bahavior ) ; SRetryData.NumberOfAttempts -ge 10 # retry 10 times 
Configure retry behavior | : 
| SRetryData.OCutput.Count -ge 1 & retry until output is produced 
































$RetryData.TotalDuration.TotalMinutes -gë 2 # retry for maximum of 2 minutes 


Figure 3-17. Retry logic 


To start creating your Graphical runbooks from the edit panel, click the 
corresponding cmdlet and choose Add to Canvas. Alternately, you can search for a 
command and add it to the canvas (Figure 3-18). 


add-azureRMaccount 


v AA CMDLETS 
Y AzureRM.Profile 


Add-AzureRmAccount 


Add to canvas 





Figure 3-18. Searching for and adding a command to the canvas 


After adding the command, double-click the command in the canvas to configure its 
parameters (Figure 3-19). 
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ServicefrincipalWithSubsconptionfame 
ae [-Confhirm éXyzbem M aoaqement Automabon SeatchParameter> | 
CP: hon a osranelar col. Credential «System Management Automation PSCredenti al» 
z Viae perameter Sot 
Add-AzuntnAecesunt | iuh = |-Eemironment 


* Labea O t Miensqeft Azure Commandt t ommaoa Sutheone ion Mise eA Sune agreed s] 
[-Brvinanmenth ame. «System Strings] 

-ereeePeinepal Saher Management Autemaben SwibehParameters 
-&ubscriptsaNamo «fy Srring» 

"Teraniid «Systemtring» 

[Whatll «System. Management Automation. bigh Parami »] 


Add-AraoRmAorount 


Ceammeont 


Access TokenWithSubscription Name 
Convert exceptions to errors @ vaatan CET T ng 
Accent cSysbem.Streg: 
[Confirm «Sn berm M acuuagerruenit Aubomalicm SwitehP ai armneters] 
[-Emairanment 
t Microdelt Azure C ómmandt ommo utheome tion Made Azure nvr any > | 
[-Esa onim nt aad x Sysbera Shy || 
-"SubserptissMame the String? 
[:Teniaeitld: « Syriem Siring +] 
[ihaili «System. Management Automation. SwiüchParameter »] 


Ostonal gdditianal parameters 
Ccanhgure parameters 


UserWithSubscriptionMamue 

[:Canfirm «System Management Automation SwitchParameber > | 

[Credential «System Management Automation PSCredental:] 

|-Emzirenment 

Ves pus! Arun Commands Common Authentication Model Az une nesonamen »] 
[-Environmenthame «System String>! 

-SubscriptsceNamo «Systemen String» 

[Tennan pone m String] 

bhat «5yztem. Management iuba ma on. teih Praeter» ] 


Rity behav 
Configure retry behavior 











Figure 3-19. Configuring parameters of the command 


Parameter options are displayed, and you can choose one of those parameters based 
on the workflow logic that you want to implement. Based on the chosen parameter set, 
you can configure the individual parameters further (Figure 3-20). 


Parameter set © 


UserWithSubscriptionName 


Parameters 


CONFIRM @ 
Not configured 





CREDENTIAL O 


Not configured 


ENVIRONMENT © 
Not configured 


ENVIRONMENTNAME 6 
Not configured 


© susscripTIONNAME © 


Configure mandatory parameter 


TENANTID & 
Not configured 


WHATIF © 
Not configured 





Figure 3-20. Configuring individual parameters 
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The mandatory parameters are marked in red. You can select from a list of Data 
Source drop-down options to configure the parameter values (Figure 3-21). 


Activity Parameter Configur.. O X Parameter Value 


Parameter sets 


Data source 
Parameter set B | Mot configured 


UserWithSubscriptionName Constant value 
Runbook input 


Activity output 


Parameters PowerShell expression 
Variable asset 
CONFIRM © Credential asset 


Connection asset 
Not configured Certificate asset 


Empty string 
CREDENTIAL © Null 


Not configured 


ENVIRONMENT © 


Not configured 


ENVIRONMENTNAME © 


Not configured 


© suBSCRIPTIONNAME © 





Configure mandatory parameter 
Figure 3-21. Selecting a data source 


Based on the data source selected, further reconfiguration options are provided. 
For example, if the variable asset is selected, a list of available variable assets in the 
subscription is presented to choose from (Figure 3-22). 


Parameter Value 


Data source 





Variable asset 


VALUE 


AzureSubscriptionid 5a850d8e-29d4-4fea-850f-13... 





Figure 3-22. Variable asset list 


You can configure optional additional parameters such as -Verbose: $true 
(Figure 3-23). 
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Additional Parameters 6 


Name 
Add-AzureRmAccount 


* Label 6 
| Add-AzureRmAccount 


Comment 


Convert exceptions to errors 


| Yes | 


Parameters 
Configure parameters 





Figure 3-23. Configuring additional parameters 


Based on your workflow logic, you can select the next cmdlet and link them together. 
To link one activity to another, hover over the activity in the canvas until a small circle 
appears at the bottom (Figure 3-24). 





Figure 3-24. Linking commands 
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Click and drag to the next activity box to create the link (Figure 3-25). 


Add-AzureRmAccount 


Get-AzureRmVM 





Figure 3-25. Clicking and dragging to link activity 


Double-click the link to get further configuration options (Figure 3-26). 


Type 6 


Error Link @ 


Apply condition 


Condition expression @ 





Figure 3-26. Linking configuration options 
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The link type can be Pipeline or Sequence. If Pipeline is used, the destination 
activity is executed only if the source activity produces an output, which will always be an 
individual object. The number of times the destination activity is executed depends on 
the number of such outputs from the source activity. Sequence links, on the other hand, 
always run once and receive output from the source activity as an array of objects. 

Pipeline is selected by default. The destination activity, which is Get -AzureRmVM, 
will be executed if the source activity (Add-AzureRMAccount) is completed successfully. 
Depending on the source activity output, the destination activity is executed once for 
every object output from the source activity. If Sequence is selected, the destination 
activity runs one time when the source activity execution is completed. 

Error Link is by default set to No. You can toggle it to Yes if you want the destination 
activity to be executed if the source activity emits an error. 

You can configure the input and output of the runbook from the edit panel of the 
runbook. Click Input and Output > Add Input (Figure 3-27). 


H Save @ Publish X c] Input and output KS Test pane isi Feedback 





Figure 3-27. Input and output configuration 


The name, type, and default values can be further configured (Figure 3-28). 


Input and Output Runbook Input Parameter 


4- Add input * Name 6 


Description © 





Input parameters 9 


No items to display 


Output types 6 


Type © 


Enter the type name... 
string 
No items to display 


Mandatory 6 


Default value 6 


Custom 





Figure 3-28. Input parameter 
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The parameter will be listed as the Data Source when you configure parameters for 
your activity (Figure 3-29). 


Parameter Value 


Data source 
Runbook input w 


TestInput (String) 
Optional 





Figure 3-29. Parameter listed as the data source 


Similarly, you can define the output type as well, which will be used as a data source 
for parameters. Alternately, for any destination activity, the output of source activity can 
be provided as an input data source (Figure 3-30). 


Parameter Value 


Data source 


Activity output v | 


Select data 


b Output (PSAzureProfile) 





Figure 3-30. Output as the data source 


After configuring the runbook, you can test it from the Test pane. The last step is to 
publish the runbook so that it is available in the Automation account (Figure 3-31). 


H Save & Publish x ww] Input and output BS Test pane iw) Feedback 





Figure 3-31. Publishing the runbook 


Now, let's look at a runbook from the Runbook Gallery to put together all the 
concepts that we've discussed (Figure 3-32). 
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Stop Azure V2 VMs 
Graphical Runbook 


This Graphical PowerShell runbook connects to Azure using an Automation Run As account 


and stops all V2 VMs in an Azure subscription or in a resource group or a single named V2 
VM. You can attach a recurring schedule to this runbook to run it at a specific time. 
Tags: Azure Virtual Machines, Stop VM, GraphicalPS 





Figure 3-32. Sample runbook 


This runbook stops ARM VMs based on the inputs provided (Figure 3-33). The entire 
workflow is depicted in the edit pane in an easy-to-understand diagram. 


SS 
Gat all VMs in RG Get all VMs in Sub 


oS ———— 




















Figure 3-33. Graphical runbook edit pane 
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In the first step, a runbook input parameter is used to retrieve the 
AzureRunAsConnection value (Figure 3-34). 


Name 


Get- Automation onnection 


* Label © 
Get Run As Connection 


Comment 


Convert exceptions to errors & 


Data iurë 


Runbook input 


ResourceGroupMName (String) 
Optional 


Vidiame (String) 
Optional 








Figure 3-34. Input parameter to retrieve AzureRunAsConnection 


The next step establishes a connection to the target Azure account (Figure 3-35). 


Mame 
Add-ArzureRmAccount 
* Label e 

Connect to Azure 


Comment 


Connect with Arue. Requires an Azure 
Run As Account. 


Convert exceptions to errors © 


v BN 


Opbona additional parameters 
Configure parameters 


Retry behavior 
Configure retry behavior 


Figure 3-35. Connecting to the target Azure account 


Parameter set B 


ServicePrincipalCertificate 


Parameters 


W” CERTIFICATETHUMBPRINT @ 


Get Run As Connection (Activity outp... 


ENVIRONMENT © 


Nat configured 


ENVIRONMENTMAME @ 
Nat configured 


 SERVICEPRINCIPAL © 
true (Constant value) 


w” TEHANTID © 


Get Run As Connection (Activity outp.. 


Solent data 
Po Get Run As Connection 


Selected actrity name 


Get Run As Connection 


Field path & 
Applicationld 





The activity output of the previous activity is used as one of the input parameters, 
and the value to be used is distinguished by the Field path. 
A sequence link with conditional logic is created to three target activities (Figure 3-36). 
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i 5o Typo @ 

| 

|. Get un As Connection Pipine | Sequence 
T = d Engr Link & 


Comment 


Cet all Vids in BG 


Apply condition 


Mà 


"cd Lr 


Candin expression © 


ResourceGroupMName runbook input 
parameters have values 

LIT 

{ 

(SV ama «ne fruli) «and 

[SV M Hame.Length «gt Cj) 

) -and ( 

(iS RescurcearoupName -ne fnul -and 

(S Resouceiroup Name Length -gt (yp P 
) 





Figure 3-36. Target activities 


Depending on the input provided during execution and the evaluation of the 
condition, the workflow will either get a single VM, get all VMs in a resource group, or 
get all VMs in a subscription. It will then proceed to stop the VMs. 

During execution, you need to provide the required parameters. In this case, all the 
parameters are optional and have default values assigned if not provided during runtime 
(Figure 3-37). 


b start 


Parameters 
RESOURCEGROUPNAME 6 


AzurePPE ssid 


Optional, String 


VMNAME @ 


Optional String 


AZURECONNECTIONASSETNAME 6 


Default will be used 


Optional, String, Default: 
AzureRunAsConnection' 





Figure 3-37. Input parameters during execution 
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If the resource group name is not provided, all resource groups in the subscription 
will be selected by default, and all VMs in the subscription will be shut down. If you want 
to shut down a VM, the resource group name and VMname should be provided as shown in 
Figure 3-37. 


Runbook Outputs 


As in PowerShell, Azure Automation runbooks also communicate the status and output 
as message streams. These streams include Output, Warning, Error, Verbose, and 
Progress. The Debug stream in PowerShell for interactive users is not used in Azure 
Automation runbooks. These message streams are written in the job history if you are 
executing a published runbook. If executing the runbook from a Test pane, results are 
written in the output pane. 


Output Streams 


The Write-output command should be used to create output objects. The most common 
use case occurs when you call a child runbook inline from within a parent runbook. The 
output objects are passed back to the parent runbook. Alternately, you can use the write- 
output command from within a function, and the output objects will be passed back to 
the runbook. The syntax of the command is as follows: 


Write-Output 
[-InputObject] <PSObject[ ]> 
[| -NoEnumerate | 
[ <CommonParameters> | 


The output type can be declared as an OutPutType attribute. The output type can be 
integer, string, array, and so forth. For example: 


[OutputType([string])] 


Declaration of the output type helps defining the runbook logic, because it gives an 
indication of the expected output. 

Sample code snippets for PowerShell and PowerShell-based runbooks are shown 
here: 


Write-output -InputObject $0utputobject 
$Outputobject 
Write-output " Sample output" 


For Graphical runbooks, the Input and Output menu (Figure 3-38) can be used to 
declare the runbook output type. 
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Input and Output 


+ Add input 


Input parameters © 
ResourceGroupMame (Stnng 
Optiona 
VMName (String) 

Optiona 


AzureConnectionAssetMame (String 


^ TL "Ma. Ea = J a. pi, 7 
t value: AzureRunAsConnt 


Output types @ 


Ho items to display 





Figure 3-38. Declaring the output type in the runbook 


Message Streams 


Message streams are used to provide warnings, errors, and verbose messages to the user. 

Warning and error messages can be invoked by using the write-error and write- 
warning cmdlets, respectively. Here is a sample code snippet for error and warning 
messages that can be used in a runbook: 


Write-Warning -Message " Warning message" 
Write-Warning -Message "Error message" 


Verbose messages help with debugging the runbook. These messages can be 
enabled, if required, from the Runbook settings in the Azure portal (Figure 3-39). 


- Logging and tracing 
Aléave & Discard 
Logging 


Log verbose records 


Cort B 


Log progress records 


OH M 


Activity-level tracing 


Trace level 


Hone Bauc Detaaled 


Tracing includes 
Avctraty start and end times 
Activity retry datae number of attempts, start time, total duration 


For published runbooks you must turn on Verbose logging in order to see the Waung 





Figure 3-39. Enabling logging for verbose messages 
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Summary 


This chapter covered the various runbook types possible in Azure. The chapter also 
provided a walk-through of runbook creation and customization as well as the output 
streams of a runbook. We also covered a couple of use cases related to the different 
runbook types. 


Additional Resources 


https://docs.microsoft.com/en-us/azure/automation/automation- 
troubleshooting-automation-errors 


https://docs.microsoft.com/en-us/azure/automation/automation-runbook-output- 
and-messages 


https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types 
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Azure Automation DSC 





PowerShell DSC is a configuration management solution from Microsoft that can be used 
across both Windows and Linux platforms. It is aligned with the configuration as a code 
concept, wherein you can define the desired state of your environments as simple text- 
based configurations and ensure compliance against these configurations. PowerShell 
DSC is supported in Azure Automation, where you can upload your DSC configurations, 
compile them, and apply them to DSC nodes. This chapter covers the components of 
PowerShell DSC; you'll learn how to create and apply DSC configurations and how the 
whole workflow can be done again via Azure Automation DSC. 


PowerShell DSC 


PowerShell DSC works based on the concept of configuration, resources, and the DSC 
engine, which is the local configuration manager. 


Configuration 


The configuration defines the framework of DSC, which includes the variables to be used, 
the target nodes, and the resources for configuring those target nodes. DSC uses PowerShell 
syntax and starts with the configuration keyword. Sample configuration is given here: 


Configuration TestConfiguration { 


Node localhost{ 
WindowsFeature requiredfeature1 { 


Ensure = "Present" 
Name = "Web-Server" 
j 
Service requiredservicei { 
Name - "W3SVC" 
StartupType - 'Automatic' 
State - 'Running' 
j 
j 
j 
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This is a basic configuration that, when applied against nodes, ensures that the 
Web-Server feature is present in the target node. It will also ensure that the World 
Wide Web Publishing service is started. The target node here is localhost. You can also 
input the hostname as a parameter by using a param block before the Node block. The 
configuration can be updated as follows: 


Configuration TestConfiguration { 
param( 


) 


Node $ComputerName { 
WindowsFeature requiredfeature1 { 


[string[]]$ComputerName-"WebVM1" 


Ensure - "Present" 
Name = "Web-Server" 

j 

Service requiredservicei { 
Name - "W3SVC" 
StartupType - 'Automatic' 
State - 'Running' 

j 


The configuration files can be saved as a . ps1 file and compiled as a PowerShell 
function to create a Management Object Format (MOF) file. The MOF file contains the 
desired configuration, which will be applied to the target nodes. Execution of this MOF 
file is carried out either in the Push or Pull mode by the Local Configuration Manager. We 
will revisit the process later in this chapter when we discuss the DSC engine. 


Resources 


Inside each Node block, there can be multiple resource blocks that define the action to 
be taken on those nodes. In the preceding example, in each target node, DSC will ensure 
that the Web-Server feature is installed. A set of built-in resources can be used in DSC 
configurations, or you can create your own custom resources. 

The following are some of the important built-in resources available in DSC: 


WindowsFeature: Installs a Windows feature and ensures that 
the feature is present in the target node 


WindowsProcess: Ensures that a given process is started and 
present in the target node 


Archive: Used to unpack a zip file to a specified destination path 
User: Creates and manages local user accounts 


Group: Creates and manages local groups 
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Log: Logs messages in DSC Analytics log during execution 


Package: Used to install/uninstall packages on the target node 


Registry: Manages Registry keys 
Script: Executes PowerShell scripts 
Service: Manages services 


File: Used for file and folder management 


Environment: Used for managing system environment variables 


In addition to these main resources, other built-in resources are available 
for functionalities defining dependencies, enabling optional features, installing 
package .cab files, and more. For example, these resources include but are not 
limited to WaitforAllResource, Wait forAnyResource, WindowsFeatureSet, and 
WindowsOptionalFeatureSet. We will not go into extensive detail about the resources in 


this chapter; instead we'll focus on a use-case perspective. 


The command Get -DSCResource can be used with the -syntax parameter to get the 
syntax of the built-in resources, and you can use that as a reference to create the resource 


(Figure 4-1). 


5 SMS Get-DSCResource WindowsFeature -syntax 
5 


indowsFeature [String] #ResourceName 
Name - Eum 

Credential PSCredential]] 

DependsOn = [string[]11] 

Ensure = [stringit Absent | Present )] 
IncludeAllsubFeature = [bool]] 

LogPath = [string]] 

Pete ciüinAsCredential — - [PsCredential] ] 
Source = [string] ] 


S C:\WINDOWS\system32> Get-DSCResource WindowsProcess 
1ndowsProcess Istringl ÉResourceName 


Arguments = [string] 
Path - is tring] 
Credential PSCredential]] 
DependsOn = [string[]]] 
Ensure = [string]{ Absent | Present H 
PsDscRunAsCredential = [PSCredential 
StandardErrorPath = Eri 
StandardInputPath - [string 
StandardOutputPath = a 
WorkingDirectory = [string] 


} 


PS C:\WINDOWS\system32> Get-DSCResource archive -syntax 


rchive [String] #ResourceName 


Destination = pss 
Path = [string 


-syntax 


Checksum = mn CreatedDate | ModifiedDate | SHA-1 | SHA-256 | SHA-512 }] 


Credential = [PsCre 
DependsOn = [string[ 
Ensure = [string]{ Jum | Present )] 
Force = [boo 

PsDscRunAsCredential = [PSCredential]] 
Validate - [bool]] 


(rra 


Figure 4-1. Get-DSCRecource command syntax 
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Now let’s look at few sample resource blocks using some of the built-in resources. 
You have already seen an example of the WindowsFeature and Service resources in the 
previous section. Let’s revisit the example so you can understand what that code will 
accomplish: 


WindowsFeature requiredfeature1 { 


Ensure = "Present" 
Name = "Web-Server" 

j 

Service requiredservice1 { 
Name = "W3SVC" 
StartupType = ‘Automatic’ 
State = ‘Running’ 

j 


The WindowsFeature resource will ensure that the Web-Server feature is installed 
on the target node. The Service feature, on the other hand, ensures that the World Wide 
Web publishing service is set to Automatic and is in the running state. Note that the Name 
used here is not same as the display name of the feature/service. You can get the name 
of the feature and service by using the Get -WindowsFeature and Get-Service cmdlets, 
respectively. 

Here's another example: 


File Websitenew { 
Ensure - 'Present' 
SourcePath = 'c:Nebsitecontent NV index.html' 
DestinationPath = ‘c:\inetpub\wwwroot' 


j 


This example uses the built-in resource file, and copies the file from the source 
c:\websitecontent\index.html to the destination c: NinetpubNwwwroot. The use case 
here is copying a custom index.html file to the inetpub root. 

Consider this example: 


Archive TestArchive { 
Ensure = 'Present' 
Path = ‘C:\Archivetest\Test. zip’ 
Destination = 'c:MArchivetestNtestfolder' 


Here, the built-in resource archive is used. The contents of the zip file Test. zip will 
be extracted to the Destination path. 
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Now let’s consider a use case of a JDK installation. The following sample code shows 
how to install the . exe file by using the Package resource and then set the JAVA HOME 
environment variable by using the Environment resource: 


Package JavaInstall{ 


Ensure = 'Present' 
Path = 'C:\test\jdk-8u131-windows-x64.exe' 
Name = 'Java 8 Update 131 (64-bit)' 
ProductId = '' 
Arguments = '/s STATIC-1 WEB JAVA=0' 
J 
Environment Javahome{ 


Ensure - 'Present' 
Name - 'JAVA HOME' 
Value = ‘C:\Program Files\Java\jdk1.8.0 131' 


j 


This can be useful when you want to perform a hands-free installation of JDK using 
DSC. The .exe file is available at the path C: \test\jdk-8u131-windows-x64. exe. You 
need to specify the name, product ID if known (it will work even if we leave it blank for 
JDK), and any arguments that you want to pass during installation. Here we are passing 
the arguments of a silent installation of JDK. 


DSC Engine (Local Configuration Manager) 


The Local Configuration Manager, or LCM, is responsible for applying the configuration 
on the target nodes and maintaining the as is state, which is the highlight of DSC. The 
LCM manages Pull and Push modes as well as partial configurations. DSC can work in 
either a Pull mode or Push mode architecture. 


DSC Push Mode 


The Push mode is the manual approach of applying a DSC configuration. The 
configurations are pushed to the target nodes by an administrator using the Start- 
DSCConfiguration cmdlet. You can point to the MOF file to be used by using the 

-Path parameter. The first step is to compile the configurations stored as . ps1 files as 
PowerShell functions. For example, if the PowerShell script name is example.ps1, you can 
compile it from a PowerShell prompt as shown in Figure 4-2. 





Figure 4-2. Compiling a DSC configuration 
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You can see that it creates a folder of the same name with a MOF file inside it 
(Figure 4-3). 






his PC > OSDisk(C) > DSCsamples > Example 


^ 






[] Name 


al) localhost.mof 


Figure 4-3. Folder with MOF file 


Itis this MOF file that will be applied by using the Start-DSCConfiguration 
command in Push mode as follows. You can use the -wait or -verbose commands to get 
details of the operation. The command expects the MOF file to be present in the location 
from which the command is executed. Alternately, you can point to the folder containing 
the MOF file by using the -path command (Figure 4-4). 


ES 5tart-Ds iguration , EX 

| ERBOSE: "Pert Form operation TIm oke CimMethod' with fo Towing parameters, methodName 

endConfigurationApply, ‘className’ = MSFT_DSCLocalConfic rationManager, 'namespaceName ' 

root/Microsof t/Windows /Des iredStateConf iguration". 
WERBOSE: An LCM method call arrived from n TUA ‘MININT-S2EIH4C with user sid 
5-1-5-21-2146773085-9301363285-719344707-207181? 
MERBOSE: [MININT-SZEIHdC]: LOM: Start Set 
VERBOSE: [MININT-S2EIH4C]|: : Start Resource File]MyFile 
WERBOSE: [MIMINMT-S2EIHAC]: : Start Test File |MyFile A 
VERBOSE: [MININT-S2EIH4C |: Fi le |MyF ile system cannot find the file specified. 
i MININT-SZETH4C |: File|MyFile related file/directory 15: c: \OSCTestFi le. txt. 


MININT-SZEIH4C]|: : Test ] Filej«yFile] in 0.0000 sec 


MIMINT-SZEIH4C]: : : Set Fileiwyrile Doe * 
MIMINT-SZEIHAC|: FileiMyF1le system cannot find the file specified. 
MININT-S2EIHdC|: FileiMyFile related file/directory is: c:XDSCTestFile.txt. 
MININT-S2ETH4C |: : Set FilejMyFile] in 0.0000 seconds 
MININT-S2ETH4C |: Resource File)MyFile 
MINMINT-S2EIHdC]: LOM: Set 

: [MININT-S2EIHAC]: LOM: End Set 

t Operation 'Invak e CinMethod' complete. 

VERBOSE: Time taken for configuration job to complete is 0.34/ seconds 


in 0.1850 seconds. 





Figure 4-4. Output of Start-DscConfiguration 
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By default, the configuration is applied to the machine from which the command 
is executed. To push the configuration to a remote computer, use the -computername 
parameter. The architecture is depicted in Figure 4-5. 


Target nodes 











DSC config 


Push mode 





Sysadmin machine 


Figure 4-5. DSC Push architecture 


No specific setup is required for leveraging the Push mode architecture. However, 
itis not scalable when we consider large deployments and environment management. 
A more ideal use case is testing DSC configurations, since that does not require setup of 
an additional server as a central repository for configurations. 
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DSC Pull Mode 


In Pull mode, as the name indicates, a centralized pull server comes into the picture. 
In this architecture, the LCM on the target nodes periodically contacts the pull server 
for compliance checks. The configurations for the nodes are sent by the pull server, 
which is then executed by the LCM on the target nodes. The pull server could be a web 
server configured to provide an OData web service or an SMB share to hold the DSC 
configurations (Figure 4-6). 


larget nodes 





DSC contigs Pull Server 


Figure 4-6. DSC Pull architecture 


Azure Automation DSC uses Pull mode and comes with a built-in pull server. This 
reduces the complications of setting up an additional pull server to manage clients, 
thereby reducing operational overhead. In both the Pull and Push models, the engine that 
finally applies the configuration on the target nodes is the Local Configuration Manager. 
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Configuration Management Using LCM 


LCM is available by default on all machines running PowerShell 4.0 or above. It 
controls how the configurations are applied and managed depending on the Push/Pull 
architecture used. You can examine the current configuration of LCM by executing the 
command Get -DSCLocalConfigurationManager (Figure 4-7). 


PS C:\DSCsamples> Get-DSCLocalContigurati onManager 


ctionAfterReboot : ContinueConfiguration 
igentId : F765414E-6248-11E7 -8706-D8FC9360609D 
lowModuleOverwrite : False 
ertificateID : 
onfigurationDownloadManagers : {} 
onfigurationID - : 
onfigurationMode ... i ApplyAndMonitor 
-onfigurationModeFrequencyMins : 15 
redential : 
DebugMode : {NONE} 
Down loadManagerCus tomData : 
DownloadManagerName : 
LCMCompatibleVersions : 1.0, 2.0] 
LCMState : Idle 
LCMStateDetai | : 
LCMVers1on ' mg 
StatusRetentionTimeInDays : 10 
SignatureValidationPolicy : NONE 
SignatureValidations : {} 
laximumDown l oadS iz eMB : 500 
PartialConfigurations 
RebootNodeIfNeeded : False 
RefreshFrequencyMins : 30 
RefreshMode : PUSH 
ReportMana ers : i 
ResourceModuleManagers : 
PSComputerName : 


Figure 4-7. Get-DSCLocalConfigurationManager command output 


Let's review some of the important properties revealed by this command: 


RefreshMode: In this configuration, the property is set to Push. 
In a pull server architecture, the value will be set to Pull. It 
can also be updated as Disabled if you do not want DSC to 
manage the desired state of your nodes. In one use case, you 
are using other configuration management tools and want to 
avoid conflicts. 


ActionAfterReboot: The options available are 
continueconfiguration and stopconfiguration. This 
property defines the action to be taken on the target node if 
it reboots on applying a configuration. 
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ConfigurationModeFrequencyMins: This property defines the 
frequency at which the LCM checks for compliance against 
the latest locally available configuration. This configuration 

is checked and downloaded based on the value of the 
RefreshFrequencyMins property. The value is set to 15 
minutes by default. 


RefreshFrequencyMins: This property is significant in Pull 
mode. It denotes the interval at which the configuration is 
downloaded by LCM to the target nodes. 


ConfigurationMode: This property defines how the 
configurations are applied by LCM on target nodes. These are 
the possible values: 


ApplyOnly:Ifthis value is used, the configuration is applied 
and LCM does not take any further action until another new 
configuration is pushed to it (Push mode) or pulled to it by 
DSC when it contacts the pull server. 


ApplyAndMonitor: The configuration is monitored by LCM, 
and any deviations are marked in the logs. 


ApplyAndAutoCorrect: If this value is used, any configuration 
drifts that are detected are logged and will be corrected in 
accordance with the latest available configuration file. 


AllowModuleOverwrite: If this value is set to true, the 
configuration on the target node is replaced by the latest 
modules downloaded. 


RebootNodeI fNeeded: When changes are made to target 
nodes by using the DSC configuration, you might be required 
to reboot the systems for the changes to be effective. This 
property indicates whether the system should be rebooted 
after applying the configuration. 


Using PowerShell DSC on Premises 


The entire process has three phases, regardless of whether the architecture is using a 
Push or Pull model: 


1. Authoring phase: The DSC configurations are created as 
PowerShell functions. The editing can be done in tools such as 
Notepad or PowerShell ISE. 


2. Staging phase: The configuration is compiled and converted 
to MOF files. In a Push architecture, the configuration 
is pushed to the target nodes. In a Pull architecture, the 
configuration is stored in the pull server and sent to the target 
nodes during the refresh interval. 
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3. Execution phase: In this "make it so" phase, LCM applies the 
compiled MOF files against the target nodes. The MOF files 
are stored locally in the %system324\configuration folder 
(Figure 4-8). 


:NVindousNS ystem32\Conf igurat ion>dir 
Volume in drive C is OSDisk 


Uolume Serial Number is B8B4-38"78 


Directory of C:\Windows\System32\Conf iguration 


A770372017 86:24 AM 4.1880 backup.mof 
770372017 86:24 AM <DIR> Built inProvCache 
7/03/2617 86:24 AM 4.100 Current .mof 
770772017 82:86 AM 244 DSCEngineCache.mof 
6/36/2617 87:82 AM 5L82 MetaConf ig.mof 
7/03/2017 86:24 AM 3,464 Previous .mof 
7/77/2017 62:66 AM 3 PullRunLog.txt 

6 File<s>) 12.413 bytes 


i Dir(s) 29,958,328,320 bytes free 


Figure 4-8. Contents of the %system32% \configuration folder 


The current.mof file will have the latest configuration applied to the node. This is also 
backed up as backup.mof in the same folder. Whenever a new configuration is applied, 
the current.mof file is renamed to previous .mof. Another file named pending .mof would 
be present if execution of any configuration happens to fail. LCM will try to execute the 
pending .mof file if it is present. 


Sample Use Case 


Now let’s put together what we have discussed so far in a sample use case and apply it to a 
target node by using a simple DSC configuration. 
The DSC configuration file that Iam going to use has the following contents: 


Configuration DSCdemo { 


# Import the module that contains the required DSC resources 
Import-DscResource -ModuleName PsDesiredStateConfiguration 


# This configuration will be applied to the localhost 
Node 'localhost' { 


# The first step is to ensure that the Web-Server feature is 


installed 

WindowsFeature WebServer { 
Ensure = "Present" 
Name = "Web-Server" 

} 
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# The File resource is used to copy the index.html file to the 
website root folder. 
File WebsiteContent { 

Ensure = ‘Present’ 

SourcePath = ‘'c:\test\index.html' 

DestinationPath = ‘c:\inetpub\wwwroot ' 

Force = $true 
} 
# Here the service resource is being called to keep the World Wide 
Web Publishing service running 

Service requiredservicei { 

Name = 'W3SVC' 

StartupType = ‘Automatic’ 

State = ‘Running’ 


j 


# JDK is being installed using the Package resource. It expects the 
exe file to be present in the location 'C:Ntest' 

Package PackageExample{ 

Ensure = 'Present' # You can also set Ensure to "Absent" 


Path = 'C:\test\jdk-8u131-windows-x64.exe' 
Name = 'Java 8 Update 131 (64-bit) ' 
ProductId = '' 


Arguments = '/s STATIC-1 WEB JAVA-O' 


Environment Javahome{ 
Ensure - 'Present' 
Name - 'JAVA HOME' 


Value = ‘C:\Program Files\Java\jdk1.8.0 131' 


The comments provide a good explanation of the desired state that will be achieved 


by applying this configuration. In a nutshell, it will install the Web-Server feature. It 
copies over an index.html file to the root folder of the server, ensures that the World 
Wide Web publishing service is started, installs the JDK package, and sets the JAVA_HOME 
environment variable. Let's save this configuration as DSCdemo. ps1. 
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In this use case, I am executing the DSC configurations from the PowerShell ISE. 
The first step is to compile and create the MOF file (Figure 4-9). 


PS C:\test> .\DSCdemo. ps1 
PS C:\test> dscdemo 


Directory: C:\test\DSCdemo 


Mode LastwriteTime Length Name 


-a--- 7/7/2017 4:16 AM 4050 localhost.mof 


Figure 4-9. Creating the MOF file 


In the next step, we will apply the MOF against the target node by using the 
start-DSCconfiguration command. In the PowerShell ISE, a progress bar indicates 
the progress of execution (Figure 4-10). 


Apphary Confegac aea BOGO rere, [ESI] oat. 
WR: Sha: LO: | Start et ke 
VERBE ; Em i LEM; Start Besgerce Emri ramen] RE d 
WEEBOA: (TAT: LÓM: Mart Test Caw i rome te oe 
wee: [TEST] [rr | rom prf FARM) pDmedrunmeni var labbe 'lAXA sen" 
Mee Pee ice o T ct hear 1o OP cart reece T et m ñ ntbü cere, 


Figure 4-10. Start-DscConfiguration in progress 


The command used for execution is Start-DscConfiguration -path .\DSCdemo 
-wait -verbose. 
The output is shown in Figure 4-11. 


PX Cita vtart- rennen pron ird reed Werbe 
WEEKE: v raa pith, eia wit "Eit- Parameters, '^mrühoduame = LaedomeligeratinApely, rlariuame! c WRIT DlexalcsuligasaíbpnMamager, namenpacsüape! = root Mi coena T whndcen ens 
os c may TX stad Eos te = TEEPE wath uter add -f-t AI ELD TATE Pee) 106, 


Tbe oprratian Sindee cmure” tartod: eb tenerr 
The rn e dC Winkel catur Sutceodod- wb Soreer 
Án 8.0590 rocam. 


lites porter dal ci net nir mtm ME 
LERT cm emib. 
sird Filefdirmciary ir: oc: inertial eee 
iim iut fros racha 
fit cte inde. pmi pn rci met pub aa ides rad , 
6. Fu seconds. 


Zz2522£z£z22£23 1 
— 





=) 


Servies requiredcerwarel] Geewice WERE" eturted, 

eirequiredeervice]) ie $, 7D cecones. 

E wem] 
=: 


7 maie 


HE 


VOD) Erviraemnnt able "Iara Hep" 
MEORUM 


n E gud warklable "Ras E^ with sale '"Deegram Fi len lave) 10D 8.0 111* 


illl 


© 
validate inert nah song ; Fakh wat Curs fll di LE m mmn - dl mor 
apre) Tha path rxüemibn was . 
wi Tere [^ Present 
proar 


tapir) proim t M tenean ts 
Ier package ava A diete 17 (fd-bith b met dere bed 
F 


F 
Ai idare- Tiere gS Fath mak Ci i I dr Eu L cm ots m, coe 
| The path extemibnn wai ewe 

LJ 





cE 





Figure 4-11. Start-DscConfiguration verbose output 
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On reviewing the output, we can see that several activities are happening after we 
apply the configuration: 


DSC checks whether the Web-Server feature is installed and 
confirms that it exists. 


The file index. html is copied over from the source location to 
the inetpub root. 


Starts the W3SVC service. 


Checks for the environment variable JAVA HOME. It is not 
found, and hence DSC creates the environment variable. 


Installs the JDK package with the provided parameters. 


Azure Automation DSC 


Azure Automation DSC is basically PowerShell DSC implemented via the Pull architecture 
into the Azure Automation suite. The pull server is built in by default. You can upload 
the DSC configurations to the Azure portal, compile them, and then apply them to target 
nodes. The target nodes in this case could be Azure VMs, on-premises VMs, or VMs in other 
platforms such as AWS. Azure Automation DSC provides a truly hybrid and centralized way 
of managing the configuration of all your systems from the Azure portal GUI. 

Let’s look at the DSC components from the Azure portal. You can view them listed 
under your Configuration Management in your Azure Automation account (Figure 4-12). 


CONFIGURATION MANAGEMENT 
tf) DSC nodes 


e DSC configurations 


E DSC node configurations 





Figure 4-12. DSC components in the Azure portal 
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DSC Configurations 


The PowerShell DSC configurations should first be created in an editor such as Notepad 
or the PowerShell ISE and then uploaded to Azure Automation DSC as a .ps1 file. 


1. In your Azure Automation account, select DSC Configuration 
from the overview panel or from Configuration Management. 
Click the Add a Configuration option (Figure 4-13). 


SSS SSS Sa sss. See 


d Add a configuration [Z Learn more o Refresh 


we manar BASTIAOWMAIS CT aT LACT AMODAT 


Figure 4-13. Adding a DSC configuration 


Let's select the same demo script that we used earlier in the 
on-premises example (Figure 4-14). 


Import 


contiquration 
Add a new configuration or update an existing 
one. Select a file smaller than 1 MB to import. 
* Configuration file @ 
DSCdemo.ps1 v E] 
Xo 


DSCdemo.ps1 


* Name 

















| DSCdemo 


Description 


DSC demo script 





Figure 4-14. Selecting a script 
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2. The name of the configuration will be automatically retrieved 
when you upload a DSC configuration with proper syntax. 
Click OK to import the configuration. After it's imported, it 
will be listed under DSC Configurations in the Automation 
account with Authoring status as Published (Figure 4-15). 


te Add a configuration [A Learn more C) Refresh 


NAME AUTHORING STATUS 


DSCdemo Published 





Figure 4-15. DSC authoring status 


3. When you click the published configuration, it gives you 
additional options for management (Figure 4-16). 


E> comple d Export XM Delete 
Essentials ^ 


Resource group Account 
omsrg omsrgéutmn 
Location Subscription name 
eastus2 
Subscription ID Status 

Published 
Last published Configuration source 


7/7/2017 3:47 PM View configuration source 


Deployments to Pull Server 


Compilation jobs 


STATUS 


No compalation jobs found. 





Figure 4-16. DSC published configuration management 
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You can compile the configuration from here, delete it, 
or export it as a . ps1 file from the portal. Click the View 
Configuration Source option to see the content of the 
configuration (Figure 4-17). 


Configus ation DL demas | 


i import the module that contains the requeed OSC resources 
import DacResource - ModubeName Prbesied tate onqurabon 
Poia Ta 
omangeutnen E Tha Cota wil be applsed no ehe locane! 
Taia - Node "localhost ( 
Subsorqobipes nae 


8 The fest step is to enune that WebServer feature e irtalled 
tabus Wirkdiows Feature Webserver | 
Mut ed 


Ensure = “Present” 
Contra wues 


Mame = Web- Sener 
View configuration source | 


E The File resource is weed to copy the index hiemi file to the website root foider, 
Fie Webute ontent | 

Ende = Prepent 

SóurorP ah s ‘beh en hti 

DuestingbonP sth a "cC'unetpullwwroot 

Force = $true 


8 Here the perce resource 6 Deng called io krep the World wide web publshing vrac 
maniing 





Semysrm Teure 1 | 


Figure 4-17. Viewing the DSC source 


Note Editing the DSC configuration is not possible from the Azure portal at the time of 
writing this book. 
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9. The next step is to compile the configuration. Click Compile. 
You will get a prompt to confirm the action. After compiling, 
the configurations will be placed in the built-in DSC pull 
server in Azure, and any existing configurations with the same 
name will be replaced. Click the Yes option, and the request 
will be queued for compilation (Figure 4-18). 


Cj Export — 9€ Delete 


Compile DSC Configuration 


Are you sure you want to compile this configuration? Any node configurations 
generated will be automatically placed on the Azure Automation DSC pull server. If 
node configurations with the same name exist on the pull server, they will be 
overwritten. 





Figure 4-18. Compiling the DSC configuration 





6. Theconfiguration is then queued for compilation. After the 
compilation is completed, the pane will show the status 
(Figure 4-19). 


Deployments to Pull Server 
Compilation jobs 


STATUS CREATED LAST UPDATED 


v’ Completed 7/7/2017 4:09 PM 7/7/2017 4:11 PM 





Figure 4-19. Compilation job status 
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7. Information about the node configuration that is available on 
the pull server after compilation is also displayed (Figure 4-20). 


Available on Pull Server 


Node Configurations 


1 


NAME LAST UPDATED 


DSCdemo.localhost 7/7/2017 4:11 PM 





Figure 4-20. Node configuration on the pull server 


8. Ifyou click the job compilation status, additional information 
is displayed, such as errors, warnings, and exceptions. You can 
click each of the tabs to get additional information (Figure 4-21). 


Details 


</> 


Config uration source 


snapshot 


Monitoring 


Errors Warnings 


1 A g All Logs 


Exception 





Figure 4-21. Job output 
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DSC Node Configurations 


Node configurations are the MOF files created after compiling the DSC configurations. 
You can view the list of MOF files present in the Azure Automation DSC pull server by 
choosing Azure Automation > Configuration Management > DSC Node Configuration 
(Figure 4-22). 


A Add a NodeConfiguration — 9€ Delete o Refresh 


NAME CREATED 


DSCdemo.localhost 7/7/2017 4:11 PM 


MyFile.localhost 6/27/2017 6:12 PM 


OMSAgent.localhost 6/19/2017 1:28 PM 





Figure 4-22. MOF files in the pull server 


The DSCdemo config that we compiled in the previous step is also listed. You 
can see that there is an option to add a Node configuration. If you have compiled a 
DSC config locally that created an MOF file, it can be uploaded here. Click the Add a 
NodeConfiguration option. Browse and upload the MOF file. Provide the name of the 
configuration. The node configuration name will be created automatically after you 
provide the configuration name (Figure 4-23). 


The file must be a DSC Node Configuration script (.mof) smaller than 1 MB. 


* Node Configuration File @ 


localhost.mof y [z] 


X o 


localhost.mof 


* Configuration Name 


Node Configuration Name (auto generated) & 


example.localhost 











Figure 4-23. Uploading the MOF file 
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The uploaded node configuration is now available in the DSC pull server along with 
the other node configurations that were compiled from the Azure portal (Figure 4-24). 


d- Add a NodeConfiguration — 9€ Delete o Refresh 


DSCdemo.localhost 7/7/2017 4:11 PM 


Example.localhost 7/8/2017 5:13 PM 





Figure 4-24. Uploaded MOF listed in DSC pull server 


This is a good example of flexibility of the Azure Automation platform. Users can 
choose to compile and create the MOF files directly from the portal, or bring in already 
compiled configurations that they might be using in their existing infrastructure. 

Now that the DSC configuration is imported, compiled, and made available in the 
Azure Automation DSC pull server, the next step is to apply the configurations against 
target nodes. 
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DSC Nodes 


Azure Automation DSC can be used to manage Azure VMs (both classic and ARM), 

VMs in AWS, and Windows and Linux machines (physical and virtual) on-premises or 
hosted on any other third-party cloud service provider platform. Let’s take the example of 
onboarding an Azure VM in Azure Automation DSC: 


1. Goto Automation Accounts > Configuration Management > 
DSC Nodes. Click the Add Azure VM option (Figure 4-25). 


d Add Azure VM Ez Add on-prem VM [4 Learn more o Refresh 


DSC nodes Status 


, 


Search nod 7 selected 





Figure 4-25. Adding an Azure VM 


2. Selectthe VM that you want to onboard. Click OK (Figure 4-26). 


Virtual Machines 
Select virtual machines to onboard 


Azure Linux VMs are not supported for in-portal onboarding, thou 
in the list below. Azure Classic VMs will not appear in the list below 
Registration i onboarded using the Azure Classic VMs experience, via All settings 


= : -> ymation DSC. 
Configure registration data Add Azure Automation DSC 


NAME TYPE 
adVM Microsoft.Compute/virtualM.. 
Backupserver Microsoft.Compute/virtualM... eastus 


Backupvm1 Microsoft.Compute/virtualM eastus 
f f 


BackupVM2 Microsoft.Compute/virtualM.. eastus 





Figure 4-26. Selecting a VM to be onboarded 


Note As you can see in the warning message in Figure 4-26, Linux machine VMs, 
even if they are listed in the portal, cannot be onboarded directly from the portal. It should 
be done with a registration script. Azure classic VMs should also be onboarded using an 
alternate process of installing the DSS VM extension separately. 
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The next step is configuration of registration data. This is 
nothing but the LCM properties to be set on the target node. 
The properties of LCM are set, and the node will be registered 
with Azure Automation DSC upon completion (Figure 4-27). 


" Registration key 


| Primary key | Secondary key 


Node Configuration Name © 


Configure registration data DSCdemo.localhost 





App yAndMon itor 
Reboot Node if Needed @ [v] 


Action after Reboot 6 


ContinueConfiguration 





Figure 4-27. Registration data 


The properties being set here are as follows: 


The Automation account registration key. 


A node configuration to be assigned to the VM. The DSCdemo 
configuration that we compiled earlier is selected from the 
drop-down list. 


Refresh frequency, which is same as the RefreshFrequencyMins 
property of the LCM. It is the duration within which LCM 
contacts the Azure Automation DSC pull server to get the latest 
configurations. 


Configuration mode frequency, which is same as the 
ConfigurationModeFrequencyMins property of the LCM. 

It denotes the interval at which LCM attempts compliance 
against the latest configuration downloaded from the Azure 
Automation DSC pull server. 
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Configuration mode, which is the same as the 
ConfigurationMode property of the LCM. You can select 
from the following values in the drop-down menu: 
ApplyAndMonitor, ApplyOnly, or ApplyAndAutoCorrect. 


Module overwrite is allowed, so that new configurations 
downloaded from the pull server can overwrite existing 
modules on the target nodes. 


Reboot of the node is allowed if it is required to fully apply the 
configuration. 


Action After Reboot can be either ContinueConfiguration 
or StopConfiguration. In this example, we have selected 
ContinueConfiguration. 


4. Click OK and then click Create to start the onboarding 
process. If you click notifications, you can see that the 
DSC VM extension registration request is being submitted 
(Figure 4-28). 


Dismiss informa 


sa" DSC VMs Extension Registration Running 


XL extension negistration í gues submission 





Figure 4-28. DSC extension registration 


9. Ifall goes well, you will get a notification that the DSC 
registration is initiated successfully (Figure 4-29). 


X 
© vM psc registration initiated successfully — 7:16 PM 


e o | Virtual machines may take up to 10 minutes to show up in 


Azure Automation DSC. backupVM? : Registration started 
successfully 





Figure 4-29. Portal notification 
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What happens in the back end is that Azure platform initiates 
the installation of the DSC extension in the Azure VM and 
registers it with the Azure Automation DSC service by using 
the primary registration key. 


6. After successful registration, the configuration that we 
selected during registration (DSCDemo) is applied. You can view 
the compliance of the node from the portal under DSC Nodes 
(Figure 4-30). 


E Add Azure VM + Add on-prem VM [4 Learn more o Refresh 


DSC nodes Status Node Configuration N 


Search nodes... 7 selected 9 selected 


^ STATUS ^. NODE CONFIGURATION 


BACKUPVMNM2 v! Compliant DSCdemo.localhost 7/8/2017 7:16 PM 





Figure 4-30. Node compliance status 


7. Click the node to view additional details (Figure 4-31). 


em Assugn node contiqurabton x Unreqiter 


Essentials ^ 


* group IP idres 
10.0.0.6 
Puccount 
omsrgautmn 

i ween time Virtual machine 


7/8/2017 7:16 PM LACKUPVM?2 


nfiguratior Mode conf QU aic 


D5Cdemo D5Cdemo.localhost 


Regati atacan Time C Fas p 


7/8/2017 7:14 PM Compliant 


Reports 


TYPE REPORT TIME 


Initial 7/8/2017 7:16 PM 





Figure 4-31. Node additional details 
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8. You can drill down to further details on the compliance 
against each resource by clicking the available report 
(Figure 4-32). 


//8/201/ 7:16 PM 


Report 


(=) View raw report 


Se eee 


v Compliant 


Report time 


7/8/2017 7:16 PM 


Start time 


7/8/2017 7:14 PM 


Total runtime 


2 minutes, 39 seconds 


lype 


Initial 
Resources 


i WindowsFeature v Compliant 
& File v” Compliant 


È Service Compliant 
"at 
a 


Environment Compliant 


&* Package w” Compliant 





Figure 4-32. Compliance details 


9. IntheDSCDemo sample config, we configured WindowsFeature, 
File, Service, Environment, and Package resources. The 
portal provides the compliance information against each of 
those resources, as shown in Figure 4-32. 


If you log in to the target Azure VM, you can see that the node is configured as per 
the instruction in the DSC config. The Web-Server feature is installed, the W3SVC service is 
running, the index.html file is copied over to the inetpub root, the Java SDK is installed, 
and the JAVA HOME environment variable is set. 
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Since the configuration mode frequency is set to 15 mins, LCM will ensure 
compliance against the config every 15 minutes, and the status will be displayed in the 
portal (Figure 4-33). 


2 Assign node configuration x Unreqister 


Essentials ^ 


P address 

10.0.0.6 

Account 

omsrqautmn 
Last seen tme Virtual machine 
7/8/2017 7:46 PM BACKUPVM?2 
.onfiguration Node configuration 
DSCdemo DSCdemo.localhost 
Registration time Status 


7/8/2017 7:14 PM Compliant 


Reports 


TYPE STATUS 


Consistency v. Compliant 7/8/2017 7:31 PM 


Initial wv Compliant 7/8/2017 7:16 PM 





Figure 4-33. LCM compliance check 


This comprehensive reporting capability is one of the key highlights of Azure 
Automation DSC. An administrator will get a view of the compliance status of all target 
nodes from a single management interface. 


Onboarding Linux Machine to Azure 
Automation DSC 


PowerShell DSC can be used to manage Linux machines also because MOF uses open 
standards compatible with Linux. You can onboard your Linux physical/virtual machines 
hosted on-premises or in Azure to Azure Automation DSC and manage them through 

the portal. In this section, we will onboard an Ubuntu 14.04 LTS machine to Azure 
Automation DSC. 
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First download the required packages by using the following commands: 


wget https://github.com/Microsoft/omi/releases/download/v1.1.0-0/omi- 
1.1.0.ssl 100.x64.deb 

wget https://github.com/Microsoft/PowerShell-DSC-for-Linux/releases/ 
download/v1.1.1-294/dsc-1.1.1-294.ssl 100.x64.deb 


Install the packages by using the following command: 
sudo dpkg -i omi-1.1.0.ssl 100.x64.deb dsc-1.1.1-294.ssl 100.x64.deb 


The output of a successful installation is shown in Figure 4-34. 


2017-07-08 20:59:52 (1.64 MB/s) - 'dsc-1.1.1-294.5s1 100.x64.deb' saved [5759228/5759228] 


azureuser&Bubuntudsc:-5 sudo dpkg -i om1-1.1.0.5s1 100.x64.deb dsc-1.1.1-294.s5s1 100.x64.deb 
Selecting previously unselected package omi. 

(Reading database ... 28885 files and directories currently installed.) 
Preparing to unpack omi-1.1.0.ssl 100.x64.deb ... 

Creating omiusers qroup ... ! 

sent invalidate(passwd) request, exiting 

sent invalidate(group) request, exiting 

sent invalidate(group) request, exiting 

Unpacking omi (1.1.0.0) ... 

Selecting previously unselected package dsc. 

Preparing to unpack dsc-1.1.1-294.55s1 100.x64.deb 

Checking for ctypes python module...ok! 

Unpacking dsc (1.1.1.294) 

Setting up omi (1.1.0.0) 

Generating a 2048 bit RSA private key 


m m B E eee E NH NONE E E H BH BH NW W X Wo eee ee eee ZW W eee HOW X E E HB NOH W eee B BON EOE - BON eee E HON eee eee eee G GÀ Go À OH X m B oW W € X E "Wo B HON eee B EH EH ON ON OW m m» HOW 


writing new private key to '/etc/opt/omi/ssl/omikey.pem' 
Configuring OMI service .. 

* Starting Microsoft OMI Server: 

Processing triggers for ureadahead (0.100.0-16) 
Setting up dsc (1.1.1.294) 
Installing resource MSFT nxFileLineResource 
Installing resource MSFT nxFileResource 
Installing resource MSFT nxUserResource 

Installing resource MSFT nxPackageResource 
Installing resource MSFT nxGroupResource 
Installing resource MSFT_nxArchiveResource 
Installing resource MSFT nxSshAuthorizedKeysResource 
Installing resource MSFT nxScriptResource 

Installing resource MSFT nxEnvironmentResource 
Installing resource MSFT nxServiceResource 

* Shutting down Microsoft OMI Server: 

* Starting Microsoft OMI Server: 


Figure 4-34. DSC package installation output 


114 


CHAPTER 4 ™ AZURE AUTOMATION DSC 


The scripts for Linux DSC operations can be found at/opt/microsoft/dsc/Scripts 
(Figure 4-35). 


Cis nfiguration.py instal lMwo2uie.py 
tbscLocalConfigurationManager.py AxDSCLOG. pY 
lper t y PerforsInventory py 


ai py 
rUGPGhey . oh Perf aRe ui red 


Figure 4-35. DSC scripts 


L.py hemoveMosdule .p 


ps y 
hegenerateinitfiles.py Restoreconfiguration. py 
Registerhelper . st $etoscLocalConfigurationManaget . py 


Register .py "tart bs nfig m py 


Let’s check the current configuration of LCM by using the 
GetDscLocalConfigurationManager.py command (Figure 4-36). 


azureuserfubuntudsc: /opt/microsoft/dsc/Scripts$ sudo ./GetDscLocalConfigurationManager.py 
instance of GetMetaConfiguration 


| 


ReturnValue=0 


MetacConfiqurationz 


i 


ConfigurationModeFrequencyMins-30 
RebootNodeIfNeeded-false 
ConfigurationMode-ApplyAndMonitor 
CredentialzNULL 

RefreshModesPUSH 

CertificateIDsNULL 
ConfigurationID=NULL 
DownloadManagerName-NULL 
DownloadManagerCustomData=NULL 
RefreshFrequencyMins-1 
AllowModuleOverwrite-false 
LocalConfiqurationManagerState-Busy 
ConfigurationDownloadManagers-NULL 
ResourceModuleManagers=NULL 
ReportManagers=NULL 
PartialConfigurations=NULL 
ActionAfterReboot=NULL 
DebugMode=NULL 

LCMVersion=NULL 
LCMCompatibleVersions-NULL 
LCMStatesNHULL 

LCMStateDetail-NULL 
StatusRetentionTimeInDays-NULL 
AgentId-F648/40C-3F0C-442C-ACAC-BCD8A- 'EEDC6 
EnableSignatureValidation-NULL 
DisableModuleSignatureValidation-NULL 


Figure 4-36. Current configuration of LCM 


instance of MSET DSCMetaConfiguration 


We can see that by default RefreshMode is set to PUSH. Let's register this machine to 
Azure Automation DSC. A script is available for this in the scripts folder, which should be 
executed with the Azure Automation registration key and URL as parameters: 


sudo ./Register.py «Automation account registration key» 
«Automation account registration URL» 
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The registration key and URL can be found in the Azure portal; select Automation 
Account > Account Settings > Keys. 


On successful execution, you should get the following output (Figure 4-37). 
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Figure 4-37. Registration output 


If we check the LCM configuration status now, RefreshMode will be set to Pull, and 
the corresponding Azure Automation pull server values should be reflected (Figure 4-38). 


arureuserBüubuntudsc:/opt/microsoft/dac/Scripts? sudo ./GetDscLocalConfigurationManager.py 
instance of GetMeraConf lguration 
[ 

ReturnValuesf 

Metaconfiguration- instance of MSET D5CMetaconfiguration 

{ 

ConfigurationModeFrequencyMinsmi0 

EebootHodeIlfNeeded-falze 
ConfiqurationMode=sAppl yAndMoniter 
E ae 
RefreshMode=Pull 
Ls: J al 
ConfiqurationID-NULL 
DounloadManagerWamezHULI. 
DpowunloadManagercCustompata-HULL 
RefreshFrequencyMinss3ü 
AllcwHoduleOverwritesfalse 
LocalConfigurationManagersStatesmHULI 
ConfigurationDcwnloadManagerss 







instance of MSFT WebDownloadManager 

l 
ResourcefId-[ConflqurarionReposiroryWeb]AzureAurcmarionDp&c 
SaurceInfaosCc:XiOaas-RegistrationHetaConfig2.psl1::20::9::ConfigurationRepositoryWeb 
[Key] ServeruRL-EZZZE - | - vn 
CertificateIDeNULL 
AllowüUnsccureConnectioneNULL 
Registrationkey- 
ConfiguraticnHamesz[) 






Figure 4-38. RefreshMode value 
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The node will be reflected in the Azure portal also under the DSC nodes (Figure 4-39). 


d- Add Azure VM 4 Add on-prem VM [Z Learn more o Refresh 


DSC nodes Status 


Search nodes... 7 selected 


NAME STATUS ^ — NODE CONFIGURATION 


BACKUPVM2 v Compliant DSCdemo.localhost 


ubuntudsc v Compliant 


























Figure 4-39. Ubuntu node reflected in the Azure portal 


Note that the node configuration is not present because we haven't applied any DSC 
configurations yet. 

Select the node and click Assign Node Configuration to assign a configuration from the 
list of compiled configs available in the Azure Automation DSC pull server (Figure 4-40). 
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Figure 4-40. Assigning a node configuration 


Azure Automation DSC provides a platform-independent way of managing the 
desired state of your infrastructure from a centralized portal. Users can create DSC 
configs, import them to Azure Automation DSC, and ensure compliance against the 
target workloads, all from the Azure portal. The rich reporting capabilities built into 
Azure Automation DSC make it easier for administrators to ensure compliance of hybrid 
environments using this service. 
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Summary 


This chapter covered the fundamentals of PowerShell DSC. You learned the key 
components, such as configurations, resources, and LCM, as well as the pull and push 
architecture and how it all maps to Azure Automation DSC in the Azure portal. We also 
covered one sample use case in which a target node on-premises and in Azure was 
configured using the same DSC config. The important takeaway is that you can easily 
onboard your existing DSC configurations to the Azure Automation DSC platform and 
manage your target nodes from the Azure portal. 


Additional Resources 
https: //docs.microsoft.com/en-us/azure/automation/automation-dsc-overview 


https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting- 
started 


https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding 
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CHAPTER 5 


Hybrid Cloud Automation 





Azure Automation is a comprehensive solution that can be used to automate 
administrative tasks in environments hosted in Azure as well as in on-premises 
datacenters or even third-party cloud service providers. The management of the latter 
(on-premises, third-party hosting provider, or third-party cloud service providers) is 
done through Azure Automation Hybrid Runbook Worker. It is also integrated with 
Operations Management Suite, which takes care of the agent installation, management, 
and monitoring. This chapter reviews the features of Hybrid Runbook Worker and walks 
through its usage in Automation scenarios. We will start with a small introduction to 
Operations Management Suite and how it integrates with Azure Automation. 


Operations Management Suite and Azure 
Automation 


Operations Management Suite (OMS) is the management-as-a-service offering hosted 

in Azure. It is based on services hosted in Azure that cater to specific management tasks. 
It uses an agent-based architecture and can be used to manage both your on-premises 
and cloud-hosted infrastructure. OMS has several built-in solutions that can be used for 
specific management tasks including patch management, threat analysis, health checks 
on systems such as Active Directory (AD) and Structured Query Language (SQL), to name 
a couple. It also provides a host of other features such as integration with Power BI and 
Office 365. The four main components of OMS are as follows: 


e Log Analytics: This service monitors and collects logs from 
various sources, stores it in Azure storage, and then analyzes the 
data and provides valuable insights on your environment based 
on the same. 


e Automation: This is where Azure Automation fits in. It can be 
purchased as part of the Operations Management Suite or can 
be availed as a service from within the Azure portal. However, 
to use the hybrid worker features for executing Automation 
tasks on systems hosted on-premises, the OMS workspace is a 
prerequisite. 
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e Azure Backup: This cloud-based backup solution offered by Azure 
is part of the Operations Management Suite. It can be used for 
backing up files/folders and applications hosted in systems in 
Azure and on-premises. It can also be used for taking VM-level 
backups of Azure VMs. 


e Azure Site Recovery: Azure Site Recovery (ASR) is the disaster 
recovery as a service using Azure, and is part of the Operations 
Management Suite. The solution offers Azure as a secondary 
datacenter in case of a disaster recovery (DR) scenario. If 
customer has an already existing secondary datacenter, ASR 
can be used for orchestrating the DR between the primary and 
secondary sites. 


Azure Automation is one of the key pillars of OMS; many solutions in OMS integrate 
with Azure Automation to initiate remediation tasks. For example, you can set an alert 
for the occurrence of a specific incident and then call a runbook as a remediation step. 
You should link your Automation account with OMS and call the runbooks associated 
with that Automation account directly from the OMS workspace. Alternately, you can 
create webhooks for Automation runbooks and leverage them for OMS alert remediation. 
An OMS workspace is required if you want to set up Azure hybrid workers to execute 
Automation runbooks against on-premises target nodes. 


Getting Started with Hybrid Runbook Worker 


Hybrid Runbook Worker is closely integrated with the OMS workspace and the 
Automation and Control solutions associated with it. Having an OMS workspace is a 
prerequisite if you want to use Hybrid Runbook Worker. The Automation and Control 
solutions should be configured to integrate with the desired Automation account where 
your runbooks are stored. This Automation account should be in the same region, 
subscription, and resource group as your Automation account. In addition, there is a 
dependency on the solution named Automation Hybrid Worker. This solution should be 
added to the OMS workspace so that the necessary PowerShell modules are downloaded 
to the target machine. 


Hybrid Runbook Worker Architecture 


The architecture of an environment integrated with Azure Automation and OMS using 
Hybrid Runbook Worker is shown in Figure 5-1. 
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Figure 5-1. Hybrid Runbook Worker architecture 


The integration of on-premises machines with OMS is done by installing the 
Microsoft Management Agent (MMA). This agent can be downloaded from the OMS 
workspace. You will also need the workspace ID and keys for integration. This process 
is discussed in detail in the next section. The role of OMS is to manage MMA. Once the 
connection with the OMS workspace is established, you need to configure the Hybrid 
Runbook Worker so that it is added to the right Hybrid Worker Group in the Automation 
account. The agent will then contact the Azure Automation account and pull the relevant 
runbooks and instructions required for executing the commands. Any assets required 
for executing the runbooks are also retrieved by the agent. All transactions use the Pull 
model, so there is no inbound firewall requirement. The machine where the agent is 
installed should have a connection to the Internet over port 443 and a connection to 
Azure Automation URLs. 

Hybrid Runbook Workers are logically grouped as Hybrid Runbook Worker Groups 
in the Azure portal. To get a list of Hybrid Worker Groups associated with an Automation 
account, go to Automation Account > Overview > Hybrid Worker Groups (Figure 5-2). 
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Figure 5-2. Hybrid Worker Groups 


Hybrid Worker Groups can have a single worker or multiple workers for high- 
availability purposes. When you initiate the execution of a runbook, it is the Hybrid 
Worker Group that you select as a target and not a specific member. This decision is made 
by the member of the group. 

To add a new hybrid worker, click the Hybrid Worker Groups tab from the overview 
and click Configure. This will provide you with a set of instructions on how to configure a 
Hybrid Runbook Worker (Figure 5-3). 
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Figure 5-3. Instructions for configuring Hybrid Runbook Worker 
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Setting Up OMS and Linking It with Azure 
Automation 


You can sign up for OMS at http: //microsoft.com/OMS or alternately create a workspace 
from within your Azure subscription. The step by step process of creating a workspace 
from your Azure Subscription and linking it with Azure Automation is as follows: 


1. To create a workspace from the Azure portal, click New > 
Data + Analytics > Log Analytics (Figure 5-4). 


Data + Analytics 
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Figure 5-4. Selecting Log Analytics 


2. Fillinthe details required to create the OMS workspace 
(Figure 5-5). 
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OMS Workspace 
* OMS Workspace © 
OM SBookDemo 
Or link existing .portal.mms.micrasoftL.com 
* Subscription 


Visual Studio Enterprise 


* Resource group @ 
©) Create new — 1.) Use existing 


AutoTest 


* Location 


West Europe 


* Pricing tier 
Free 


Pin to dashboard 


OK 


Pricing Tier 


Free 


To use Operations Management Suite 
entitlements choose Per Made (OMS). All 
solutions are available on Per Mode (OMS) and 
Free tiers. 


INSIGHTS AND ANALYTICS / LOG ANALYTICS 


To use Service Map or Metwork Performance 
monitoring solutions, choose Per Mode (OMS) or 
Free. Some solutions are also available on Per GB 
(Standalone) 

Learn more 


SECURITY AND COMPLIANCE 


lo use the Security & Compliance solutions 
chaose Per Node (OMS), Per GB (Standalone), or 
Free. These solutions are free for the first 60 days. 
After that, a per node charge will apply regardless 
of your workspace pricing tier. 

Learn more 


AUTOMATION AND CONTROL 


To use Update Management or Change Tracking 
solutions choose Per Mode (OMS) or Free. 
Adding ane of these solutions links your 
workspace to an Automation account The linked 
workspace and Automation account share the 
same pricing tier. 





Figure 5-5. Fill in details to create OMS Workspace 


Specifically, provide the following details: 
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In the OMS Workspace text box, provide a name for the 
workspace, or you can link an existing workspace. 


Choose the subscription and the Resource Group. 


Choose the Location. Note that the Automation account 
integration with OMS required for Hybrid Runbook Worker 
is available only in few regions as of writing this book. You 
can see the latest information on Azure service availability by 
region at https: //azure.microsoft.com/en-in/regions/ 
services/. Check for availability of the Automation and 
Control service. 


The Pricing Tier to be used is either Free, or Per Node if you 
want to use Automation and Control solutions. 


From Azure Portal > Log Analytics, select the newly created 
OMS work space. Click OMS portal to access the newly 
created workspace (Figure 5-6). 
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Figure 5-6. New OMS workspace 


4. The next step is to add the Automation solution from the OMS 
workspace so that we can use Hybrid Runbook Worker. 


9. Click the OMS home page, click Solutions Gallery, and select 
Automation and Control > Configure Workspace (Figure 5-7). 





Solutions Gallery » Details 


Automation & Control 


A requires account configuration 
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Figure 5-7. Configuring the workspace 


6. Link your target Automation account with OMS. If an 
Automation account exists in the same subscription, resource 
group, and location as your OMS workspace, it will be 
listed under Use Existing. Otherwise, you can create a new 
Automation account. In this example, I am going to create a 
new Automation account. Click OK and then Close (Figure 5-8). 
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Configure Workspace Automation Account 
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® Create new O Use existing 


azurehybrid1 





tA p 
Automation ac 


Select Account 


Azure Subscription 


Resource Group 


Location 


Workspace Pricing Tier 





Figure 5-8. Creating a new automation account 


7. Ifyou check in the Azure portal, you can see that this 
Automation account is now created in the same resource 
group and location as my OMS workspace (Figure 5-9). 
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Figure 5-9. Created account in the Azure portal 


8. Nowthat the Automation account and the OMS workspace 
are linked, we will add the Automation Hybrid Worker 
solution. This will ensure that Hybrid Runbook Worker is 
automatically downloaded to the nodes that you onboard to 
OMS. 
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9. From the OMS workspace, go to Solutions Gallery > Select 
Automation Hybrid Worker > Add (Figure 5-10). 
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Figure 5-10. Adding Automation Hybrid Worker 





10. The next step is onboarding of nodes to OMS. This can be 
done via installation of the Microsoft Monitoring Agent. This 
agent can be downloaded via OMS Workspace » Settings 
»> Connected Sources > Windows Servers/Linux Servers 
(Figure 5-11). 
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Figure 5-11. Downloading the OMS agent 


Certain prerequisites should be met before installing Hybrid Runbook Worker: 
— Minimum OS required is Windows Server 2012. 


— Minimum PowerShell version is 4.0. It is recommended to use 
PowerShell 5.0. 


— The target node should have a minimum specification of two 
cores and 4 GB RAM. 
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Hybrid Runbook Worker initiates the connection to the Azure Automation service, 
so only outbound Internet access over port 443 is required from the target nodes. 

Also, it should be able to access the Azure Automation URLs. If a proxy server is in the 
environment, it should be configured to allow access to *. azure-automation.net. 

The installation of the Hybrid Runbook Worker agent is done on the target node by 
using a simple installation wizard. During the installation, you will be prompted to enter 
the OMS work space details. These details can be obtained from the same location in the 
OMS portal. 

The required scripts and modules for configuring Hybrid Runbook Worker will 
be available in the onboarded node since the Automation Hybrid Worker solution is 
enabled. These scripts can be found from the location shown in Figure 5-12. 


ls am Files\Microsoft Monitoring Agent\Agent\AzureAutomation> cd "C:\Program Files\Microsoft Monitoring 
on\7. 2.12318. on" 





Figure 5-12. Hybrid worker script location 


Note that the version at the time of writing this book is 7.2.12318. This could change 
when new versions are released. 
Import the Hybrid Registration module present in this location (Figure 5-13). 





Agent \Agent \Azur eAutomati A 
Ka del og ng " . on\7.2.12318.0\HybridRegistration> Import-Module 
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Figure 5-13. Importing the Hybrid Registration module 


Register the hybrid worker by using the following command, as shown in Figure 5-14: 


Add-HybridRunbookWorker -Name «String» -EndPoint «Url» -Token «String» 





Figure 5-14. Registering the hybrid worker 


The details are as follows: 
— Name: This is the name of the Hybrid Runbook Worker Group. 


— Endpoint: This is the endpoint URL of Azure Automation. The 
information can be found via Azure Automation > Account 
Settings > Keys. 


— Token: This is the primary/secondary key available from the 
same interface. 


Once the registration is completed, the hybrid worker will be listed in the Azure 
portal under Hybrid Worker Groups (Figure 5-15). 
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azurehybridl - Hybrid worker groups 
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Figure 5-15. Hybrid worker listed in the Azure portal 


Double-click the Hybrid Worker Group to get additional details of the registered 
hybrid worker (Figure 5-16). 
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Figure 5-16. Getting information on hybrid workers 


By default, the Automation runbooks will run under the context of Microsoft 
Management Agent installed on the target server. However, if you want to use alternate 
credentials—say, a local admin account to execute the runbooks—a credential asset can 
be created and assigned to the worker group (Figure 5-17). 
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Figure 5-17. Hybrid worker group Run As credential 


Executing Runbooks by Using Hybrid Runbook 
Worker 


Runbooks can be created or imported using the steps explained in Chapter 3. The only 
difference occurs during the execution phase. The runbook will be executed against a 
target hybrid worker. 


Sample Use Case 


Let’s start with a simple workbook that will pull out the list of services with a given startup 
type provided via the parameters and that is in running status. This workbook could be 
part of a bigger use case in which the administrator wants to do some additional tasks 
based on the retrieved data. For the sake of simplicity, we will test this small runbook 
against the target machine where we had installed a hybrid worker and registered it 
against an Automation account. 

The contents of the runbook for this example are as follows: 


param( 
# Startup type of the service. 
[Parameter(Mandatory = $true) ] 
[string ]$StartupType 


) 


$Servicestatus = Get-WmiObject Win32 Service -ComputerName . |where {($ . 
startmode -like "*$StartupType*") -and ($ .state -like "*running*"))|select 
DisplayName, Name, StartMode, State/ft -AutoSize 


Write-output $Servicestatus 
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When you start the runbook in Azure Automation, change the Run Settings option to 
Hybrid Worker. For the Choose the Hybrid Worker Group drop-down option, provide the 
mandatory input parameter and click OK (Figure 5-18). 
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Figure 5-18. Providing input parameters 


Click Output to view the results. The runbook will pull out the list of manual services 
in the target machine in running status (Figure 5-19). 
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Figure 5-19. Runbook output 
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To verify the outcome, we can run the commands in the runbook directly on the 
target server (Demowebvm2) where the agent is installed. We can see that the results are the 
same (Figure 5-20). 


A Demowebvme - - Remote Desktop Connection 





Figure 5-20. Results from within the VM 


Using Azure Automation Webhooks and 
Integrating with OMS 


Azure Automation can be integrated with OMS by using a webhook, which is an HTTP 
request that can be used to start a runbook. Webhooks can be created directly from a 
published runbook as follows. 


1. Browse to the Azure Automation account and choose 
Overview > Runbooks. Select the runbook and then click 
Webhook (Figure 5-21). 
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Figure 5-21. Webhook integration 


2. Provide details of the webhook to be created (Figure 5-22). 


Create anew webho... + O X 


For security, after creating a 
webhook its URL can't be viewed. 
Make sure to copy it before pressing 
"OK", and to store it securely. Learn 
more 


* Name 


webhook1 v 


* Enabled 


Yes 


* Expires 
2018-07-18 5:42:47 PM 


URL © 


https://s levents.azure-automation.net/... 





Figure 5-22. Webhook details 
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Specifically, provide the following details: 
— Provide a name for the webhook. 


— You can enable the webhook when you create it or choose to 
enable it at a later point after creating it. 


—  Setan expiry date for the webhook, after which it cannot be 
used. 


—  AnURLis created automatically for all the webhooks and will 
have a security token included in it. This security token 
authenticates the HTTP call made to the webhook. The URL 
should be copied over during creation because it will not be 
available after that for security reasons. 


3. Configure the Run As option in the next step. Any mandatory 
input parameters should be defined at this point while 
creating the webhook. By default, the runbook will be 
executed on Azure, but you can change the target to a hybrid 
worker also. Click OK and then click Create to create the 
webhook (Figure 5-23). 


Start a runbook via a simple HTTP POST to a URL Parameters 
* STARTUPTYPE © 
Webhook : 3 - 


webhook1 


Mandatory, String 


Parameters and run settings 
Configure parameters and run settings Run Settings 


Run on © 


Choose Hybrid Worker group 


Hybridtest w 


Figure 5-23. Creating a webhook 
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4. Once created, the webhook will be listed when you select the 
runbook (Figure 5-24). 


Webhooks 


+ Add Webhook o Refresh 


NAME EXPIRATION STATUS 


webhook1 7/11/2018 6:38 PM vw Enabled 





Figure 5-24. List of webhooks 


9. The parameters, such as the expiry date, can be edited from this 
view. We can also enable/disable the webhook (Figure 5-25). 


webhook1 i Parameters 


Hvbridtesti 


H | Ü Delete Parameters 
* STARTUPTYPE 6 
Name 


manual 
webhook1 — 


Mandatory, String 
* Enabled 


Yes Run Settings 


Expiration Run on 6 


2018-07-11 MB 6:38:50 PM Azure | Hybrid Worker 


Choose Hybrid Worker group 


Parameters and run settings 
ie = ng Hybridtest 


Review parameters and settings 





Figure 5-25. Reviewing the parameters and settings 


Set Up Webhooks in OMS Alerts 


From the OMS workspace, click Settings > Alerts to view the list of alerts created. You can 
edit the alerts. Under the Actions tab, the options for adding the webhook will be listed 
(Figure 5-26). 
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Actions 


F^] Email notification 
Yes No 
Subject 
Recommended Alert: Computers missing security updates 


Recipients (semi-colon separated) 


testemail@hotmail.com 


d Webhook 


Yes No 
Webhook URL 
JatRGvaVextT6byKdAkLK2rPSeaxNIUP%2brsvEHUu0rM%3d 


[] Include custom JSON payload 


Test webhook Webhook sent successfully 


Figure 5-26. Webhooks in OMS alerts 





Provide the webhook that was created in the previous section. Click the Test 
Webhook button to test the functionality. If all works well, you will get the message 
“Webhook sent successfully.” Any parameters that should to be sent to the runbook via 
the webhook can be included as a JSON file. 

Alternately, you have an option to select the runbook from the attached Automation 
account (Figure 5-27). 
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the Runbook 


vo - 


Automation account 


omsrgautmn 


Select a runbook 


testpowershell M 


Run on 
Hybrid worker 


Figure 5-27. Selecting a runbook 





Once you integrate your Automation account with OMS, all runbooks in the 
account will be listed in the Select a Runbook drop-down list. This makes it easier for the 
administrator to choose one of the available runbooks for remediation. 


Azure Automation Integration with GitHub 
Source Control 


You can integrate Azure Automation with your repositories in GitHub. You can use this 
to push or pull the PowerShell runbooks in your Automation account to the GitHub 
repository. 

From the Azure Automation account, select Account Settings > Source Control 
(Figure 5-28). 
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RELATED RESOURCES 


GONS 


Ge Workspace 


d Unlink Workspace 


ACCOUNT SETTINGS 


Th 
ili Properties 


© Source Control 





Figure 5-28. Selecting the Source Control option 


Under Choose Source, select GitHub (Figure 5-29). 





Figure 5-29. Choosing GitHub 


Note Only GitHub is available as of writing this book. It is expected that Visual Studio 


Online(TFS) will be available soon. 


Authorize the access by providing the GitHub login credentials. If you click 
Authorize, you will be redirected to the GitHub login page (Figure 5-30). 





Figure 5-30. Selecting Authorize 
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After logging in, you need to authorize the account with GitHub (Figure 5-31). 


ioo í | ) 


Authorize Automation Source Control 


=a" Automation Source Control by azureautomation 


BH wants to access your automationbk account 


Repositories 


a Public and private 


Authonzing will redirect to : : 
; Authorize azureautomation 
https://portal.azure.com 





Figure 5-31. Authorizing Azure Automation 


In the next step, select the repository, branch, and runbook folder path to complete 
the integration of Source Control with the Automation account. 

Once it's integrated, you will be able to check in your runbooks directly from the 
runbook edit pane into the source control repository (Figure 5-32). 








C Publish x Revert to published i Test pane w Feedback 


Figure 5-32. Checking in runbooks 


Summary 


This chapter explored how to manage infrastructure hosted outside Azure by using 
Hybrid Runbook Worker. The features of Hybrid Runbook Worker along with its 
integration with Operations Management Suite were also explained. 
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Additional Resources 
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-overview 
https: //docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview 


https://docs.microsoft.com/en-us/azure/automation/automation-hybrid- 
runbook-worker 


https://docs.microsoft.com/en-us/azure/automation/automation-hrw-run- 
runbooks 
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CHAPTER 6 


sample Runbooks and 
Use Cases 





Relevance of any technology depends on its capability to handle real-life use cases. Azure 
Automation is no different. In the previous chapters, we discussed the various facets and 
components of Azure Automation. Now that the groundwork is done, let’s explore sample 
use cases for the technology. 


Operations Automation for Office 365 


Some of the common Office 365 administrative tasks can be automated using Azure 
Automation runbooks. In the first set of use cases, we will explore automation of Office 
365 reporting and management using Azure Automation. 


Office 365 Reporting 


Runbooks will be used to pull out reports from the Azure AD tenant associated with Office 
365 accounts. The details can be displayed as output or can be used to create reports that 
will be e-mailed to the administrator via the SendGrid e-mail relay service. 

We will look at two use cases in this section. The first one is a simple runbook to 
pull out a list of blocked users in an Office 365 tenant. We will use the second runbook 
to create a password expiry date report for users in each tenant and e-mail it to 
administrators. 


Prerequisites 


The MSonline module should be imported to the Azure Automation account before the 
runbook can be executed. The MSonline module is available in a General availability and 
Public preview version. Cmdlets in the preview version are not available in the module in 
the gallery. If you are using the cmdlets from the preview version, the latest module can 
be downloaded from www. powershellgallery.com/packages/AzureADPreview. 
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From the Azure Automation account, choose Modules > Browse Gallery and then 
search for MSonline and import the module (Figure 6-1). 





MSOnline 
Bee = Mrosoft Arure Active Directory Module for Windows PowerShell Created by ArureAD PowerShell lease note that th 
xim 2793! downloads " 
“EE — Please note that the Settings cmdlets that were published in the preview release of the Last updated: 3/2/2017 E 

Tags: P5Module te ont « 





Figure 6-1. Searching for MSOnline 


If you click the imported module, you can see a list of activities that are basically the 
PowerShell commands used for the AD tenant management (Figure 6-2). 


MSOnline 


Activities 
NAME 


Add-MsolAdministrativeUnitMember 
Add-MsolForeignGroupToRole 
Add-MsolGroupMember 
Add-MsolRoleMember 
Add-MsolScopedRoleMember 
Confirm-MsolDomain 
Confirm-MsolEmailVerifiedDomain 
Connect-MsolService 


Convert-MsolDomainToFederated 


Convert-MsolDomainToStandard 


Convert-MsolFederatedUser 


Disable-MsolDevice 


Enable-MsolDevice 


Get-MsolAccountSku 





Figure 6-2. List of activities 
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We will use the third-party mail relay service SendGrid in the second use case to 
send an alert e-mail to administrators. 
Search for the SendGrid service from the Azure portal by choosing More Services 


(Figure 6-3). 


Shift+Space to toggle favorites 


sendGrid 


iS SendGrid Accounts 


Figure 6-3. Searching for SendGrid 


Click the option to create the service (Figure 6-4). 


* Mame 


| SendGridtest v 


* Password @ 
| IZIITITITTII v 
* Confirm Password 
| "P"PODPPEPE yi 
* Subscription 
Visual Studio Enterprise 
* Resource group @ 
(& Create new ©) Use existing 


sendgridtest 


* Pricing tier 


free 


Promotion Code © 


* Contact Information 


Completed. 


* Legal terms 
Legal terms accepted 


Figure 6-4. Creating the service 
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Specifically, provide the following details: 


Provide the Name and Password, and select the Subscription 
and Resource Group. 


From the Pricing Tier, the free tier should be sufficient for up 
to 25,000 e-mails/month. 


Provide your Contact Information (first name, last name, and 
e-mail ID) as mandatory values. 


Accept the Legal Terms and create the service. 


After creating the service, select the service and then choose Settings > General 
> Configurations and make a note of the username listed there. We will be using this 
username and the password that we provided during service creation to configure an 
Automation credential for the SendGrid connection. The SMTP server name will be 
smtp.sendgrid.net (Figure 6-5). 


Settings Configurations 


SendGridtest 


USERNAME 


SUPPORT + TROUBLESHOOTING azure 4224bfal16409f30e300c80990eec3E 


=| Activity log PREA 
ASS WO d 


Your Password 
GENERAL 


Hi Properties SMTP SERVER 


smtpsendgrid.net 


* Configurations 





Figure 6-5. SendGrid configuration details 
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The next step is to create the Azure Automation credential asset. We will be creating 
two assets for this runbook: Office 365 admin credentials and SendGrid login credentials 
(Figure 6-6). 


* . m 
Name * Name 


| 0365cred v | SendGrid v 


Description Description 


* 
Username * User name 




















| adminuserisz-.--z-tztzz72 'D.onmicrosoftc w” | üanunc Inak ear AE cao a 


* Password * Password 


| PETE TET TTT | | &btbbsbbébà v 





* Confirm password * Confirm password 


| $6bbébbébbbasb au | ste 0008 wi 


Figure 6-6. Creating credentials 





Runbook 1 


We will start with a simple runbook that will pull out a list of blocked users in Office 365 
and display the output: 


# Connect to Office 365 using the 0365 credential object 
$cred0365 = Get-AutomationPSCredential -Name 'o365cred' 
Connect-MsolService -Credential $cred0365 
# Get list of users 
$users - Get-MsolUser -all 
# Check for blocked users and display results 
$count - O 
foreach ($user in $users) { 
$displayname = get-msoluser -UserPrincipalname $user.UserPrincipalName 


if ($displayname.BlockCredential) 


$Count = $count + 1 
echo $user.UserPrincipalName 'is blocked' } 


j 


if ($count -eq 0) 
( echo "There are no blocked users" 


j 
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Create a runbook using the preceding content and publish it. Execute the runbook 
and choose Azure for the Run On option (Figure 6-7). 


Start Runbook 


AzureADmangement 


Parameters 


No input parameters 


Run Settings 
Run on 6 





Figure 6-7. Selecting the Run On setting 


On execution, the output will be as follows (Figure 6-8). 


AzureADmangement 7/17/2017 8:27 PM 
testuseri@azurcautotest946.onmicrosoft.com 


is blocked 


Lreated 
596049d6755e 7/17/2017 &27 PM 
t Update 
M1 r/2017 828 PM 
Runbock 
AzureADmangement 


oshot 


View source snapshot 


Output 


€— 


NE IE 
E Output 





Figure 6-8. Viewing the output 
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Let's log in to Office 365 Admin portal and verify that the user is blocked (Figure 6-9). 


ice 365 Enterprise Es 


Testuserli?arzureautotest9idD onmicrasoft.com Office 355 Enterprise E3 


Ltestuser? carureautotestiat onmicrosolt.com Blocked 





Figure 6-9. Verifying that the user is blocked 


Runbook 2 


This runbook will pull out a report of the list of users and their password expiry date in a 
CSV file and send the report as an attachment to the administrator. This can be scheduled 
as a weekly task by creating a schedule in Azure Automation. The PowerShell script to be 
used as a runbook is given next. The tasks performed by the runbook are highlighted as 
comments in the runbook. 


#Create the CSV, which will be updated with date, name of users, e-mail 
address, #days to password expiry, and the password expiry date 
$logging - "Enabled" 

$logFile = ".Mpasswordexpirydates.csv" 

$date - Get-Date -Format ddMMyyyy 

if (($logging) -eq "Enabled") 

{ 


$logfilePath = (Test-Path $logFile) 
if (($logFilePath) -ne "True") 


# Create CSV File and Headers 
New-Item $logfile -ItemType File 
Add-Content $logfile "Date,Name,EmailAddress,DaystoExpire,ExpiresOn 


j 


j 
Echo "Logfile created" 


# Connect to Office 365 using the 0365 credential object 

Echo "getting credentials" 

$cred - Get-AutomationPSCredential -Name 'o365cred' 
Connect-MSolService -credential $cred 

Echo "Connected to office365" 

# Get Users From MSOL where Passwords Expire 

$users = get-msoluser | where { $ .PasswordNeverExpires -eq $false } 
$domain = Get-MSOLDomain | where {$ .IsDefault -eq $true } 

$temp = (Get-MsolPasswordPolicy -domain $domain.Name).ValidityPeriod 
If ($temp -eq $null) 
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1 


$maxPasswordAge - "90" 


j 


else 
{ 
$maxPasswordAge = ((Get-MsolPasswordPolicy -domain $domain.Name). 
ValidityPeriod).ToString() 
j 
# Process Each User for Password Expiry 
foreach ($user in $users) 
{ 
$Name = $user.DisplayName 
$emailaddress = $user.UserPrincipalName 
$passwordSetDate = $user.LastPasswordChangeTimestamp 
$expireson = $passwordsetdate + $maxPasswordAge 
$today = (get-date) 
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson) .Days 
if (($logging) -eq "Enabled") 
{ 


Add-Content $logfile “$date, $Name,$emailaddress, $daystoExpire, $expireson’ 


j 
} 


Echo " Password expiry report created" 

#Get sendgrid Automation credentials 

$Sendgridcredential -Get-AutomationPSCredential -Name 'sendgrid' 
$SMTPServer - "smtp.sendgrid.net" 

$EmailFrom = “adminuser@outlook.com" 

$EmailTo = “adminuser@outlook. com" 

$Subject = "User Password expiry Report" 

$Body = "User Password expiry Report" 

#Send email using SendGrid credentials with report as attachment 
Send-MailMessage -smtpServer $SMTPServer -Credential $Sendgridcredential 
-Usessl -Port 587 -from $EmailFrom -to $EmailTo -subject $Subject -Body 
$Body -attachments "passwordexpirydates.csv" 

Echo " Password expiry report sent to administrator" 

Get-PSSession | Remove-PSSession 
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Once executed, the runbook will give the following output (Figure 6-10). 


E Output 


adJ65userpasswordexpiry //15/2017 3:54 PM 


Directory: C:XTempV23dnditB8.2jf 
Moda LasthWriteTimne Length Name 


------ 7/15/2817 2:54 PM Ə passwordexpirydates.csv 


Logfile created 


getting credentials 


Connected te of fice365 


Password expiry report created 


Password expiry report sent to administrator 





Figure 6-10. Runbook output 


The User Password expiry date report will be e-mailed to the administrator via 
SendGrid (Figure 6-11). 








User Password expiry Report 


==- ="="@outlook.com 


passwordexpirydates.csv 


Ege i. as 
1 Dytes 


User Password expiry Report 





Figure 6-11. Password expiry report 
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The contents of the report are shown in Figure 6-12. 


A B C D E 

Date Name EmailAddress DaystoExp ExpiresOn 
15072017 test user2 testuser2(Dazureautotest94 88 10/11/2017 17:07 
15072017 Test User1 lTestuser1@azureautotest94 87 10/11/2017 9:00 


Figure 6-12. Contents of the report 


Azure Blob Backup 


The native backup solution in Azure, Azure Backup, does not support backup of 

Azure blob storage at the time of writing this book. In this use case, we will explore an 
alternative of leveraging the snapshot feature of Azure Storage to make a backup of Azure 
blob storage. This runbook will take a snapshot of the source blob and copy it over to a 
different storage account as a backup. A schedule can be created in Azure Automation to 
execute this runbook depending on the backup frequency requirements. 


Prerequisites 
We need the following Azure Automation assets as prerequisites: 


AzureRunAsConection as a connection asset. This will be created 
by default when you create the Automation account. If it is not 
present for any reason, it should be created by providing the 
service principal details for the Automation account (Figure 6-13). 


Connections 


AzureServicePrincipal 4/9/2017 8:40 AM 


Azure 415/2017 6:23 PM 





























Figure 6-13. AzureRunAsConnection asset 
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An Azure Automation module for storage. You should update 
this module to the latest version if it is already present 
(Figure 6-14). 


| Browse Gallery ! X Azure. Storage 





EHE aerem rn Created by: arure- dk 
Eum Microsoft Azure Powershell = Storaqe service omdiets. Manages blobs, queues, tables and 145631 downloads Created bya azure- 
files in MecrosoA Azure shone accounts dasad: TAIAT 
Tags: Arure Storage Iob Queue Table Pihiodule ae E A pod Tun Anu 
Deper-denciesz 


Figure 6-14. Azure.Storage module 


Runbook 


#Define the storage account and context. 
param( 
# Source Storage account name 
[Parameter(Mandatory = $true) | 
[string ]$SourceStorageAccountName, 
# Source Storage account key 
[Parameter(Mandatory = $true) | 
[ValidateNotNullOrEmpty()] 
[string]$SourceStorageAccountKey, 
# Source Storage account container name 
[Parameter(Mandatory - $true)] 
[ValidateNotNullOrEmpty()] 
[string]$SourceContainerName, 
# Source Storage account blob name 
[Parameter(Mandatory = $true) | 
[ValidateNotNullOrEmpty()] 
[string |$SourceBlobName, 
#Destination Storage account name 
[Parameter(Mandatory = $true) | 
[string ]$DestinationStorageAccountName, 
#Destination Storage account key 
[Parameter(Mandatory = $true) | 
[ValidateNotNullOrEmpty() | 
[string ]$DestinationStorageAccountKey, 
#Destination Storage account container name 
[Parameter(Mandatory = $true) | 
[ValidateNotNullOrEmpty()] 
[string]$DestinationContainerName 
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) 


$connectionName = "AzureRunAsConnection" 
try 
{ 


# Get the connection "AzureRunAsConnection 
$servicePrincipalConnection-Get-AutomationConnection -Name 
$connectionName 


"Logging in to Azure..." 

Add-AzureRmAccount ` 
-ServicePrincipal ` 
-TenantId $servicePrincipalConnection.TenantId ' 
-ApplicationId $servicePrincipalConnection.ApplicationId ` 
-CertificateThumbprint $servicePrincipalConnection. 
CertificateThumbprint 


catch { 
if (!$servicePrincipalConnection) 


$ErrorMessage - "Connection $connectionName not found." 
throw $ErrorMessage 
} else{ 
Write-Error -Message $ .Exception 
throw $ .Exception 


j 


$SourceContext - New-AzureStorageContext -StorageAccountName 
$SourceStorageAccountName -StorageAccountKey $SourceStorageAccountKey 
#Fetch details of the blob. 

$blob = Get-AzureStorageBlob -Context $SourceContext -Container 
$SourceContainerName -Blob $SourceBlobName 

Echo “##H#HHHHHHHHHHDetails of blobiHHHHHHBE" 

$blob 

Echo "HHHHHHEHHEHHEHEHHEHHEHEHHEHHEHBHHBHBEU 

#Create snapshot of the blob. 

$snap = $blob.ICloudBlob.CreateSnapshot () 

Echo “HHHHHHHHHHHHHDetails of snapshotfHHHHEHBE 

$snap 

Echo "IHHHHHHEHHEHHBHEHHEHHBHHEHHHHHHHHHBHHBHHBBE" 

#Fetch time of the snapshot taken 

$SnapshotTime - $snap.SnapshotTime 

Echo "Snapshot timestamp is $SnapshotTime" 

$DestinationContext - New-AzureStorageContext -StorageAccountName 
$DestinationStorageAccountName -StorageAccountKey 
$DestinationStorageAccountKey 

$srcBlobSnapshot - Get-AzureStorageBlob -context $SourceContext -Container 
$SourceContainerName |Where-Object {$ .ICloudBlob.IsSnapshot -and $ .Name -eq 
$SourceBlobName -and $ .SnapshotTime -ne $null j 
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$srcBlobSnapshot | Format-Table -AutoSize 

$RestorePoint = $srcBlobSnapshot | where { $ .SnapshotTime -eq $SnapshotTime 
j 

$snapshot - [Microsoft.WindowsAzure.Storage.Blob.CloudBlob] 
$RestorePoint[0].ICloudBlob 

#Copy snapshot to backup storage 

Start-AzureStorageBlobIncrementalCopy -Context $SourceContext 

-CloudBlob $snapshot -DestContex $DestinationContext -DestContainer 
$DestinationContainerName 

Echo "Snapshot copied" 


The runbook does the following: 


— Create a snapshot of the source blob. 


— Then a timestamp of the snapshot is used to identify the latest 
snapshot from the other existing snapshots. 


— The snapshot is copied over to backup storage account by using 
the Start-AzureStorageBlobIncrementalCopy command, which 
initiates an incremental copy of the snapshot. 


The runbook expects the following inputs to be provided during execution: the 
source storage, access key, container name, name of the blob to be backed up, destination 
(backup) storage, access key, and container name (Figure 6-15). 








Figure 6-15. Input parameters 
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On successful execution, output of the runbook will be as shown in Figure 6-16. 


BERHRBPBHERSEFNHENHERRAEERHEFTEREEEAHAERRERAAM 


Snapshot timestamp is 07/15/2017 20141182 


ICloud lob : Lēngth ContantTypa LastModifiíisd SnapahotTime Continustion Context 
Token 


Micrazoft.... PageBlob 1363967909312 applicatio... 7/15/2017... 7/15/2017.. 


ICloudBlob MEC AMI LLERMIMIMIM MeL LL M 

BlebType : Pagelloh 

Length m 

ContentType ! 

LastModified : 77157/2817 8:41:84 PH +80:88 

ELLE LET] 

ComtinuationToken : 

Context i Micresoft.HindowszArure.Commandz.Storage.AzureStorageContext 
Name | Demcowoabuml2017012779094527.vhd 


Snapshot copied 





Figure 6-16. Runbook output 


We can use the Azure Storage explorer tool to view the snapshots being created in 
the source storage account and then later being copied over to the destination storage. 
Source blob snapshots are shown in Storage explorer view (Figure 6-17). 


E3 vhds x B backup x 


Collapse All Refresh AH 


n: e Accounts 
fisual Studia Enterprise 

&s ge Accounts 

b B iA deastasia 
b 
b 


B swa 
ES 5al4lAsoutheastasia 


B 5a1474southindia 
E3 5a1474westus 

ES ssrdemostr1 

E azureppedisks335 


ES vhds (Leased) 





Figure 6-17. Source blob snapshots 
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In Backup storage view, the snapshots are being copied over to a container named 
backup in this storage (Figure 6-18). 


backup ^m X 


= 


| p 
| E 


Collapse All Refresh All “= p ate : a 
p Download Open Copy URL Select All Copy Delete 


im Quick Access 


@ (Local and Attached) E 


uf T^ backup ^? Snapshots for Demowebvym120170127093747 vl 
^» B Storage Accounts 
4 & Visual Studio Enterprise (shijimolak&outlook.com) " 
4 £ Storage Accounts EVE cy : - = 
z : =) B rs zs LLEFSUFIUPFIUPEFLFA LEO /-0/-15120:19:25.09332062) 
5a1474eastasia » " — - 
ES 5a1474eastus 
ES 5a1474southeastasia 
ES 5a1474southindia 
Ej 5a1474westus 
ES asrdemostri 
ES azureppedisks335 
ES iaasdemostores 
" Blob Containers 


B| backup 


ca Demowebum120170127033747 vhd 





Figure 6-18. Backup storage view 


Linux Node DSC Configuration Management 


In this use case, we will install a package in a Linux node using DSC and then start the 
corresponding service associated with it. We will install the reverse proxy software nginx 
using this runbook and start the service. 


Prerequisites 


The Linux node should be onboarded to the Azure Automation DSC account. The 
steps were explained in Chapter 4. The next step is to import the nx module into the 
Automation account that includes the DSC resources for Linux (Figure 6-19). 


Popularity Id 


Module with Dec Reseueces tee Linn 


Created byt MEET OSTE 
Module aih DEC Resources few Linai TEIT downloads 


Tage FModule Last updated: 9/25/2015 Created by; MSFT OSTE 
Tage: Psliaduk 





Figure 6-19. Importing the nx module 
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This module comes with built-in resources similar to the resources available for 
Windows (Figure 6-20). 


Mx 


Activities 


DESCRIPTIO 


nxArchive 
nxEnvironment 
nxFile 
nxFileLine 
nxGroup 


nxPackage 


nxScript 


nxService 
nxSshAuthorizedKeys 


nxUser 





Figure 6-20. Activities in the nx module 


We will be using the nxPackage and nXService resources in our runbook, which are 
used for package management and service management, respectively. 
Runbook 


configuration nginxlinux { 


Import-DscResource -ModuleName nx 

node localhost { 

#nginx package installated using nxPackage resource 
nxPackage nginx 


{ 
Name = "nginx" 
Ensure = "Present" 
PackageManager = "Apt" 
j 
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#nginx service status checked using nxService resource 
nxService nginxservice 


{ 
Name = "nginx" 
Controller = "init" 
Enabled = $true 
State = "Running" 

} 

} 
} 


Create the runbook and compile it. Before applying the configuration, we will 
tweak the LCM on the target node to make the refresh interval smaller and the change 
configuration mode to AplyAndMonitor. Thus we can ensure that the configuration is 
pulled from the Azure Automation pull server and applied immediately. Here is the 
command to be used: 


sudo ./Register.py --RegistrationKey <Automation account 
registration key»  --ServerURL «Automation account registration 
URL» --RefreshFrequencyMins 5 --ConfigurationModeFrequencyMins 5 
--ConfigurationMode ApplyAndAutoCorrect 


Before applying the DSC config, we will check the nginx service status in the target 
node. The service will be listed as unrecognized (Figure 6-21). 


Figure 6-21. Checking service status 


Select the node from the Azure Automation DSC node list and then choose Assign 
Node Configuration. Select the compiled node configuration and click OK. The new 
configuration will be applied, and after some time the node status will be shown as 
compliant (Figure 6-22). 





| 
ia nbooks Gallery elects v 
| 


CONFIGURATION MANAGEMENT 
NAME STATUS NODE CONFIGURATION 


W DSC nodes 
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Figure 6-22. Applying the DSC configuration 
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Let’s go back to the target node and review the service status (Figure 6-23). 


AL VR 


Figure 6-23. Reviewing the service status 


The nginx service will be available at port 80 of the server (Figure 6-24). 


B WPA ETL ILE D-0 ge Welcome to nginxl | € 





[ Microso.. Ma Pricing Calculator Microsof.. g|LBdema &|Demaoweb2 &! DemoWebl DJ Microsoft Azure Roadmap EP Microsoft Azure €) azure-quickstart- 


Welcome to nginx! 


If you see this page, the nginx web server is successfully installed and 
working. Further configuration is required. 


For online documentation and support please refer to nginx.org. 
Commercial support is available at nginx.com. 


Thank you for using nginx. 





Figure 6-24. Nginx web page 


DSC Composite Resources in Azure Automation 


DSC composite resources can be used in Azure Automation in such a way that the 
configurations can be reused. The composite resources can be imported as modules in 
Azure Automation. In simple terms, the composite resource is a DSC configuration that 
can accept input parameters. When we convert them as modules in Azure Automation, 
they can be imported from another DSC configuration and then the values of parameters 
can be passed on. The parameters in this context will act as the properties of the DSC 
composite resource. In this use case, we will create a DSC composite resource, upload 

it as module in Azure Automation, and finally call this module from another DSC 
configuration, thereby enabling reusability. 


158 


CHAPTER 6 ™ SAMPLE RUNBOOKS AND USE CASES 


Step 1: Create DSC Composite Resource 


There is a specific folder structure to be followed while creating a DSC composite 
resource that can be uploaded to Azure Automation DSC as a module. The folder 
structure is shown in Figure 6-25. 


| ModuleName 


L---- ModuleName.psd1 


b === ModuleName.psm1 


I 

I 

za -CompositeConfigl.psd1 
L_.CompositeConfigl.schema.psm1 


P 


i 
| 

Ez -CompositeConfig2.psd1 
L..CompositeConfig2.schema.psm1 


L] 
ET -CompositeConfigN.psd1 
L . .CompositeConfigN.schema.psm1 





Figure 6-25. Composite resource folder structure 


Create the root folder with the name of the module that you want to create. It should 
contain the corresponding .psm1 module file and the manifest file . psd1. There should be 
a folder named DSCResources inside the root folder. The DSC composite resources should 
be present inside the DSCResources folder. These composite resources should have a 
.psd1 as well as . schema. psm1 file. The . schema .psm1 extension is required to mark it as 
a composite resource. This file will contain the contents of the DSC configuration, which 
can be later called as resources by other configurations in Azure Automation DSC. 
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Let's start by creating the root module folder (Figure 6-26). 


TNR = par 
i! 


bo 
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Figure 6-26. Creating the root module 


Create the .psd1 file associated with it by using the New-ModuleManifest command 
(Figure 6-27). 


New-Modu leManifest 





Figure 6-27. Creating the .psd1 file 


In the folder, we can see that the .psd1 file gets created (Figure 6-28). 







OSDisk (C) >» Compositemodule 


^ 


Name 


~) compositemodule.psd1 





Figure 6-28. Listing the .psd1 file 
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Part of the content of the file is shown in Figure 6-29. 


| compositemodule.psd1 X | 


= 
: Module manifest for module 'compositemodule' 


; Generated by: userl 


# 
# Generated on: 7/17/2017 
# 


zt 


e usos n vun 4 ua PRI I 


# Script module or binary module file associated with this manifest. 
RootModule = 'Compositemodule' 


# Version number of this module. 
Moduleversion = '1.0' 


# Supported PSEditions 
# CompatiblePSEditions = @() 


# ID used to uniquely identify this module 
GUID - '98379e2d-4778-45f5-b02a-1df1392elcdf' 


# Author of this module 
Author 'userl' 


# Company or vendor of this module 
CompanyName = 'Unknown' 


# Copyright statement for this module 
Copyright = '(c) 2017 shiak. All rights reserved. ' 


& Description of the functionality provided by this module 
# Description = '' 


# Minimum version of the Windows PowerShell engine required by this module 
# PowerShellversion = 


Name of the Windows PowerShell host required by this module 
* PowerShellHostName - 





t Minimum version of the windows PowerShell host required by this module 


Douwarthalliumsztia re 4n = 





Figure 6-29. Contents of the file 


You can see that the manifest contains metadata information, any defined 
prerequisites, any functions, cmdlets, aliases to be exported, and so forth. 
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Create a blank .psm1 file in the same folder with any content, which could even be a 
comment (Figure 6-30). 


^ OSDisk (C) > Compositemodule 


PS 


C] Name 


| DSCResources 
4) compositemodule.psd1 


[7] «] compositemodule.psm1 


7 compositemodule.psm1 - Notepad 


File Edit Format View Help 
#test 





Figure 6-30. Creating a .psm1 file 


This file is required for uploading the module in Azure Automation. 
The next step is to create the DSCResources folder and the composite resource folder 
inside the root folder (Figure 6-31). 


mkdir 





Figure 6-31. Creating the DSCResources and composite resource folders 


Create a manifest for the composite resource named Composite1. This time, we will 
be creating the schema.psm1 file as well, which identifies this as a composite resource 
(Figure 6-32). 


New-ModuleManifest 





UT ree " 
AgGg-Content 


Figure 6-32. Creating the manifest 
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The files get created inside the Composite! folder (Figure 6-33). 


Compositemodule > DSCResources > Composite1 


[] Name 


a) composite1.psd1 
al) Composite1.Schema.psm1 





Figure 6-33. List of created files 


The contents of the .psd1 file will be similar to the Compositemodule.psd1 file 
created earlier. In the composite1.schema.psm1 file, add your DSC configuration 
(Figure 6-34). 


Composite1.Schema.psm1 X 


1 
configuration Compositel { 


2 

3 

4 File 'filecreate' { 

5 DestinationPath 'C:\Newfile.txt'’ 
6 


Contents 'Composite DSC test' 
Ensure ‘Present’ 





Figure 6-34. Adding the DSC configuration 


We will go with a simple configuration to create a new file and add content to it. Note 
that the node statement is not present, since this DSC configuration will be used to create 
a resource that will be called by other configurations. 

We have now created all the required files for the module. To create the module, 
simple zip the root folder to create a compositemodule.zip file and upload it to Azure 
Automation. 
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Step 2: Import Module in Azure Automation 


From the Azure Automation account, choose Shared Resources > Modules > Add a 
Module > Browse. Select the zip file and click OK (Figure 6-35). 


Add Module 


Importing a module may take 
several minutes. 


Upload File (.zip format, 100 MB max size) @ 


Compositemodule.zip 


X o 


Compositemodule.zip 





Figure 6-35. Importing the module 


You will get a notification that the file is successfully uploaded and the activities are 
being extracted (Figure 6-36). 


i OREO 


Notifications 


Dismiss: 


|) Uploaded module 12:58 PM 


| Uploaded module 'Compositemodule'. Extracting activities. 





Figure 6-36. Extracting activities 
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If the module is successfully uploaded, you can see the composite resource listed as 
an activity under the module (Figure 6-37). 


Compositemodule 
Module 


hu] Delete 


Overview 


Compositemodule 


Last modified: 7/17/2017 12:59 PM 
Version: 1.0 

Size: 4 KB 

Global module: No 


Activities 


1% 
MAME DESCRIPTION 


Composite 





Figure 6-37. Comsposite resource listed as activity 


Step 3: Create DSC Configuration That calls the Uploaded 
Modules 


We will create a basic DSC configuration that calls the resource Composite1 from the 
uploaded modules. Note that there are no parameters in this resource; however, if your 
original DSC composite resource expects parameters, it can be passed on at this point 
from with the DSC configuration. 


Configuration dsccompositemodtest { 


Import-DscResource -ModuleName PSDesiredStateConfiguration 
Import-DscResource -ModuleName Compositemodule 


Node localhost { 
Composite1 server1 { 


j 
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Save the contents as a . ps1 file and upload it to the Azure Automation DSC 
configuration (Figure ). 


m Import 
Configuration 


Add a new configuration or update an existing 
one. Select a file smaller than 1 MB to import. 


Configuration file & 


dsccompositemodest.ps1 


dsccompositemodest.ps1 


Name 


Description 








Figure 6-38. Uploading the .ps1 file 


Compile the configuration. If all goes well, the configuration will be successfully 
compiled (Figure ). 


dsccompositemodtest 


Configuration 


om] 
En 


€P Compile g Export X Delete 


Essentials ^ 


ACCOUNT 


omsrg omsrqautmn 


! JAMES 
Samii eee Published 


121 | alli ur LEES HI CUL 


F1 i2017 1:28 PM View configuration source 


Deployments to Pull Server 
Compilation jobs 
STATUS CREATED LAST UPDATED 


Completed 7/17/2017 1:28 PM 7/17/2017 1:30 PM 





Figure 6-39. Compiling the configuration 
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The next step is to apply this configuration against a target node. Select the node 
from the Azure Automation account and then choose Configuration Management > DSC 
Nodes. Click the Assign Node Configuration option and select the newly compiled MOF 
from the pull server (Figure ). 


fA B A L KU P V M | P 4 - x t As sig n h Jo d e C on fig ne a a 
z EACKUPVMT 


nm Assign nade configuration $È Unregister 


: : | Changing the node configuration assignel 
Essentials ^ | a ging g g 


configuration to metch the node configu 


LUE ES 
j j HAM E 
Hehe  omergautmn 
dsccomposatemodtest localhost 





"7 7/201 F 1:29 PM BAC KUPVMI 
Figure 6-40. Assigning the node configuration 


The configuration will be updated when the target node contacts the pull server the 
next time. Until that time, the status will be shown as pending (Figure ). 


* Add Azure VM + Add on-prem VM [Z Learn more o Refresh 


DSC nodes Status 


Search nodes... 7 selected 


AN NODE CONFIGURATION 


BACKUPVM1 dsccompositemodtest.localhost 





Figure 6-41. Status before the node contacts the pull server 


Once the configuration is updated, the status will be compliant (Figure ). 


E Add Azure VM E Add on-prem VM [Z Learn more o Refresh 


DSC nodes Status 


7 selected 


“ STATUS ^. NODE CONFIGURATION 


BACKUPVM1 Compliant dsccompositemodtest.localhost 





Figure 6-42. Status after the configuration is updated 
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You can double-click the node to get more details about the configuration being 
applied (Figure 6-43). 


7/17/2017 2:14 PM 


Report 


E View raw report 


Report details 
Report ID 
cedbe218-6af1-11e7-940c-000d3a1 185... 


Report status 


Compliant 


Report time 
7/17/2017 2:14 PM 


Start time 
7/17/2017 2:14 PM 


Total runtime 


1 seconds 


Type 
Consistency 


Resources 


ø File Compliant 





Figure 6-43. Viewing details of the applied configuration 


It is interesting to note that the File resource originally defined in the DSC composite 
resource is being listed here. 
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As a final step, let’s log in to the server and check whether the file is present in the C 
drive with the contents defined in the DSC configuration (Figure 6-44). 


Local Disk (C:) 
Home Share View 


- T ila + Computer + Local Disk (C:) 


a 


: blame Date modified 
avorites 


Desktop Js cttest 
Downloads do Packages 
Recent places d Perflogs 
P" Program Files 
braries di Program Files (x86) 
Documents Jk Users 
Music J WER 2/15/2016 10:41 .. 
Pictures di Windows 7/16/2017 5:55 Ph File folde 
Je WindowsAzure 3/14/2017 4:49 Phy File folde 
|. | NewFile 7/17, Text Document 


File Edit Format View Help 
| Composite DSC test 


Mew 1 





Figure 6-44. Status in the target server 


The file is present, and we can conclude that the DSC composite configuration is 
successfully applied via Azure Automation DSC. 


Summary 


This chapter, the last one in this book, covered different practical use cases of Azure 
Automation. This includes Office 365 automation and management, Linux machine 
management, and complex configurations such as DSC composite resources. 
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Conclusion 


Azure Automation is a versatile tool in the arsenal of Azure administrators that can 
accomplish various complex tasks easily via runbooks, DSC configurations, hybrid 
workers, and more. In this book, we discussed the building blocks of Azure Automation. 
The most fundamental building block is the runbook, and Chapter 3 covered the various 
types. Runbooks are built on the foundation of PowerShell. The built-in galleries and 
PowerShell repositories have many runbooks that are contributed by Microsoft as well 
as by the PowerShell community; these cater to most of the common use cases. It is also 
easy to create and upload runbooks of your own if you have expertise in PowerShell. 
The Automation assets such as variables, credentials, connections, and certificates 
prove a robust framework for sharing resources between runbooks and help establish 
connections with target resources quite easily. Azure Automation is not limited to your 
infrastructure hosted in Microsoft Azure. You can use the tools in it to manage resources 
hosted on-premises as well as in third-party datacenters using DSC configurations and 
Azure Hybrid Runbook Worker. Chapters 4 and 5 covered in detail how they can be 
effectively leveraged to accomplish these infrastructure management tasks. Finally, we 
touched upon some common use cases for Azure Automation in Chapter 6 and provided 
sample runbooks for the same. You can go through the following additional resources if 
you want to explore more about Azure Automation. 

Happy learning!! 


Additional Resources 
https://docs.microsoft.com/en-us/azure/automation/automation-runbook-gallery 


https://gallery.technet.microsoft.com/scriptcenter/site/search?f[0]. 
Type-RootCategory8f [0] .Value-WindowsAzure8f[1].Type-SubCategory&f[1]. 
Value-WindowsAzure automation&f[1].Text-Automation 


https: //www.powershellgallery.com/ 
https://docs.microsoft.com/en-us/powershell/dsc/overview 
https://docs.microsoft.com/en-us/powershell/dsc/decisionmaker 
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-diagnostics 


https: //docs.microsoft.com/en-us/azure/automation/automation-azure-vm-alert- 
integration 


https://azure.microsoft.com/en-us/blog/tag/azure-automation/ 
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